Date: 29 April 2013
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0590
Security Bulletin: Vulnerability in Sametime Links (CVE-2013-0533),
Sametime Connect Clients and in Sametime Advanced Server (CVE-2013-0553)
29 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Sametime
Publisher: IBM
Operating System: Linux variants
OS X
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0553 CVE-2013-0533
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21633620
http://www-01.ibm.com/support/docview.wss?uid=swg21633618
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in Sametime Links (CVE-2013-0533)
Document information
IBM Sametime
STLinks/Toolkits
Software version:
8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1
Operating system(s):
Linux, Mac OS X, Windows
Reference #:
1633620
Modified date:
2013-04-22
Abstract
Sametime Links can be exploited to create a DOM-based XSS vulnerability.
A fix is provided.
Content
CVE-ID: CVE-2013-0533
DESCRIPTION
The Lotus iNotes webmail interface includes a Sametime chat communication
part. This interface suffers from a reflected, DOM-based XSS. As it is available
on the same interface as the webmail system, this would allow attackers to
execute arbitrary commands on the webmail interface for logged-in users and,
for example, gain access to their emails.
The issue can be fixed by updating the Sametime Links server with the fix
provided here.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82655 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
*The CVSS Environment Score is customer-environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the Reference
section (below) of this Flash document.
AFFECTED PLATFORMS
Sametime Links 8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1 server on
any platform.
REMEDIATION
The recommended solution is to apply the fixes that are provided by IBM for
the affected Sametime Links server.
FIX
Refer to the following technote for instructions on how to download the
relevant fixes:
" Fix available for potential security vulnerability in IBM Sametime Links server"
WORKAROUND
None known; apply fixes.
MITIGATION
None known; apply fixes.
REFERENCES
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/82655
CVE-2013-0533: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0533
RELATED INFORMATION
Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Alexander Klink, n.runs. AG
- ---------------------------------------------------------------------------
Security Bulletin: Vulnerability in Sametime Connect Clients and in Sametime
Advanced Server (CVE-2013-0553)
Document information
IBM Sametime
Software version:
8.5.1, 8.5.1.1, 8.5.2, 8.5.2.1
Operating system(s):
Linux, Mac OS X, Windows
Reference #:
1633618
Modified date:
2013-04-22
Abstract
Security vulnerability that has been identified in IBM Sametime clients.
This vulnerability could allow a remote attacker to send commands in a
specially crafted way in a Sametime Instant Message (IM).
Content
CVE-ID: CVE-2013-0553
DESCRIPTION:
Security vulnerability that has been identified for IBM Sametime clients.
This vulnerability could allow a remote attacker to send commands in a
specially crafted way in a Sametime IM chat to a user or chat rooms to all
the chat room participants. The issue exists in Sametime Connect, embedded
Sametime in Notes, and in Sametime Advanced Server.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82915 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
*The CVSS Environment Score is customer-environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
References section of this Flash.
AFFECTED PLATFORMS:
This potential vulnerability affects the Sametime clients, standalone and
embedded starting at version 8.5.1, 8.5.1.1, 8.5.2, 8.5.2.1 on Windows,
Macintosh and Linux. This vulnerability includes when these clients use a
Sametime Gateway to Sametime Gateway connection.
This potential vulnerability affects the following Sametime clients:
- - Sametime Connect client (stand-alone)
- - Embedded Sametime in the Lotus Notes client
- - The above clients using Sametime Gateway connecting to another Sametime
Gateway
- - Sametime Advanced Connect client (stand-alone)
- - Embedded Sametime Advanced in the Lotus Notes client
- - Sametime Advanced Web client
For specific versions affected, refer to the fix links below.
The following client types are NOT affected by this issue:
- - Sametime Web client (uses the Sametime Proxy server)
- - Sametime Mobile clients
- - STLinks integration
- - Sametime version 8.0.2, 8.0.1, 8.0.0, or 7.5.1 of all rich clients (Notes
embedded and stand-alone)
- - Notes Basic clients
- - Proxy 8.5 SDK clients
- - The above clients using Sametime Gateway connecting to a third-party IM
gateway
DETERMINING WHICH EMBEDDED VERSION IS IN YOUR ENVIRONMENT:
You can use the following technote to identify which embedded version is
in use in your Notes environment: "What Sametime client versions are embedded
in what Notes client versions?" (1370003) .
REMEDIATION:
The recommended solution is to apply the fixes that are provided by IBM for
the affected Sametime clients.
FIX:
Refer to the following technotes for instructions on how to download the relevant
fixes:
Sametime Connect Clients: http://www.ibm.com/support/docview.wss?uid=swg21632785
Sametime Advanced Server: http://www.ibm.com/support/docview.wss?uid=swg21628657
WORKAROUND:
None known; apply fixes.
MITIGATION:
None known; apply fixes
REFERENCES:
X-Force Vulnerability Database - http://xforce.iss.net/xforce/xfdb/82915
CVE-2013-0553 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0553
RELATED INFORMATION:
Complete CVSS Guide - http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2 - http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
ACKNOWLEDGEMENT:
The vulnerability was reported to IBM by Brian Reilly from ADP.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUX3mcu4yVqjM2NGpAQLE8hAAix6p94R2Uj1uiehLZ31zq32QB/bKLBN9
PgJbDcWh2DXW3oKrURK9oRe3EgN3W9j+VS8zeTMuoAoW1WLIOftXh22a6BtpvK9x
SAEThppXyO9IN5zF550YghD1jzHzPK8EejWgFut8tIOADSX9FW0AT/7W/ZPgMjXL
hz7Hds/HSkZ9jOVAFR1/fZZ5Sh0vcM8SC8UiVfgf9F7/nMEjduJDk8dELXZUeG2v
Iopp/kRMv50Eo+GLw37YjpifhjoaoCMusaDmN2dfscU9tFbAXlh8TLJvc8BtMd1r
VClbOj9cn0N41jcenwr/uzM9MGunaxg4e3a4jSwf6oupwNkevt5pTdj6NKTBw72B
Fz7G3QRhb73/wYLpW/dqkujpEZg9kmhltPnvFsYzca7aYBWW49UgENcaliGKX9Tf
WZJ2Sv5EuXpRUpdpgc+JsCTJKs+PGg7MMNJdx2ane1XGjdCC0srqYkNrPe8p7xaL
u70TauxvrAoahwp5URjsK9Pq+DI8DEWMA3YQJNV7G35BgzR4NvIGyCOJyt5qqHao
vWxAecU16ognY3zKmcJvmn93MIaMbu6wiXRFHuLrC4wUgrPsSYzK3N7+QFt8twge
DfQ1stebyPTtc/NPGB25coZr8RqmTtMejVHD9cNQm+ESQvxrPdKTbwZ94HK59yig
SYyYBkDQsL0=
=DTnK
-----END PGP SIGNATURE-----
|