IBM has published few security bulletins to address multiple vulnerabilities related to Pixman library, XStream, and IBM Java SDK used in Notes. The bundled Java virtual machine (JVM) is susceptible to different attacks as listed in the Oracle Critical Patch Update Advisories (April 2016) which could be remotely exploited without authentication. An attacker could exploit the vulnerabilities by sending specially-crafted XML data or an overly long argument, or enticing a user to open a specially-crafted file or visit a malicious website.
> IBM Notes 9.0 Interim Fix 4 and prior, 9.0.1 Fix Pack 5 and prior
> IBM Notes 8.5.3 Fix Pack 6 Interim Fix 10 and prior, 8.5.2 Fix Pack 4 Interim Fix 3 and prior, 8.5.1 Fix Pack 5 Interim Fix 3 and prior, 8.5
> IBM Notes Standard Client 9.0.1 Fix Pack 6
> IBM Notes Standard Client 8.5.3 Fix Pack 6 Interim Fix 10
> All 9.0 and 8.5.x releases of IBM Notes Standard Client prior to those listed above
Depending on the vulnerability exploited, a successful attack could lead to information disclosure, arbitrary code execution, privilege elevation, or gain complete control of the affected system.
The vendor has released fixes to address the issues and they can be downloaded at the following URL:
> Notes 9.0.1 Fix Pack 6
http://www.ibm.com/support/docview.wss?uid=swg24037141
> Notes 9.0.1 64-bit Interim Fix 4
http://www.ibm.com/support/docview.wss?uid=swg21657963
> Notes 8.5.3 Fix Pack 6 Interim Fix 11
http://www.ibm.com/support/docview.wss?uid=swg21663874#NotesDownloads
> JVM Patches for 9.0.1 Fix Pack 6
http://www.ibm.com/support/docview.wss?uid=swg21657963
> JVM Patches for 8.5.3 Fix Pack 6 plus Interim Fixes
http://www-01.ibm.com/support/docview.wss?uid=swg21663874
http://www-01.ibm.com/support/docview.wss?uid=swg21983686
http://www-01.ibm.com/support/docview.wss?uid=swg21983861
http://www-01.ibm.com/support/docview.wss?uid=swg21984075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0636
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674