Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1556 Security Bulletin: IBM Domino Designer 9.0.1 and 8.5.3 Fix Pack 5 fix for IBM JRE XML Parsing Vulnerability 31 October 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Domino Designer Publisher: IBM Operating System: Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4002 Reference: ASB-2013.0113 ESB-2013.1511 ESB-2013.1499 ESB-2013.1493 ESB-2013.1491 ESB-2013.1480 ESB-2013.1468 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21652665 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Domino Designer 9.0.1 and 8.5.3 Fix Pack 5 fix for IBM JRE XML Parsing Vulnerability Flash (Alert) Document information IBM Domino Designer XML/DXL Software version: 8.5, 9.0 Operating system(s): Windows Reference #: 1652665 Modified date: 2013-10-29 Abstract Releases 9.0 and 8.5.3 Fix Pack 4 (and earlier) of IBM Domino Designer are vulnerable to a denial of service attack when parsing malformed XML input. Upgrade to Domino Designer release 9.0.1 or 8.5.3 Fix Pack 5 to fix this issue. Content CVE ID: CVE-2013-4002 DESCRIPTION: Releases 9.0 and 8.5.3 Fix Pack 4 (and earlier) of IBM Domino Designer are vulnerable to a denial of service attack when parsing malformed input. Upgrade to Domino Designer release 9.0.1 or 8.5.3 Fix Pack 5 to fix this issue. The vulnerability is triggered by malformed XML data which can cause consumption of CPU. CVE ID: CVE-2013-4002 CVSS Base Score: 7.1 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) Access Vector: Network Access Complexity: Medium Authentication: No Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete AFFECTED PLATFORMS: IBM Domino Designer 8.5.3 Fix Pack 4 and earlier, 9.0 REMEDIATION: Fix: This issue is being tracked as SPR KLYH9A3JXN and can be addressed by upgrading Domino Designer to release 9.0.1 or 8.5.3 Fix Pack 5. See the links below for download information. - --> How to download IBM Notes 9.0.1 Social Edition from Passport Advantage (technote 4035440) - --> Download options for Notes/Domino 8.5.3 Fix Packs (technote 4032242) Workaround: None Mitigation: None REFERENCES: Complete CVSS Guide On-line Calculator V2 CVE-2013-4002 http://xforce.iss.net/xforce/xfdb/85260 RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog ACKNOWLEDGEMENT NA Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUnHi6BLndAQH1ShLAQIk2hAAs1YNU1tURMR+4w9DphirIvo0kBKPUNwI bGIeZ+BN1ixa3mmfgtGjltMNS33ztTxoJyKXy5l8/J/JEjdkv14zpqyX0AViFrD8 3gBa+4ya1X/OA1LN0NBW4RgIrA3OkPLthK6BPrNE0gSwhNooFMirTQQauU0uZHMe 09DmKwrYQI4bgcjsJPKCjNv/w6Of/WtqIwSXhF3Gi8kobgtsoRh2RDgpRfszfxez hESBtjAnxhUt6BnuKVcCq+5o21yG3WI62TAYMO5YrJ0IoTORx53HaX60FbBRSBfP VouwOuNYxlLoeZafBh0ocn/CbHaMLj47YoJulictclDiogYHk1DIetMBw6QaRNxA bR+WzNcDyyOZSgNv1qm/Cffcpo33M6xnF9nPv1p9h9540jJ0z22AyKY6QqR66NOf TDQ3CLyLW3AtwCCLnd2EDXI5YgiCQtNpcGEXrQRqYzN5xOJLs/pA0UX6QpAcXvFJ +hSahD+4vUBuo9lWPsqVmuGj0BBkcmRXKvsB7Rdq//d/yXuo2q1g4YDdB0pBVqMw dEfjJZ3WYQAwIYJeCnX90/yqmOmpwlGa4Epp2vG/lt8jZ6ZsSHr8t1UbG18BnUPS wKb1nihoDqury4edT7BNLMKbvl42986RrDx0NVu/ccMZwRjQGm/KmpCNKnEv7KQn TygJAopNZbI= =7+lQ -----END PGP SIGNATURE-----