3 new vulnerabilities in Notes/Domino

by Thomas Bahn,
assono GmbH, Standort Kiel,


There are 3 recently published vulnerabilities in Lotus Notes/Domino 6.5 and 7:

All 3 are resolved in the versions 6.5.6
and 7.0.1 Fix Pack 1.


Some details :

1. IBM Lotus Domino IMAP Server Buffer Overflow Vulnerability

ZDI (The Zero Day Initiative, associated with TippingPoint) contacted IBM® Lotus® to report a potential denial of service vulnerability with the IBM Lotus Domino IMAP server task.

Advisory ZDI-CAN-060 can be accessed at the following link: http://www.zerodayinitiative.com/advisories.html
 
If the IMAP server task is enabled on the Domino server, and an attacker is able to telnet to the server, it is possible for an attacker to cause a buffer overflow resulting in a denial of service attack.


2. IBM Lotus Domino Buffer Overflow Vulnerability in LDAP
iDefense contacted IBM Lotus to report a potential denial of service vulnerability with the Lotus Domino LDAP server task. This issue has been fixed in 7.0.2 Fix Pack 1 (FP1) and 6.5.6.

The iDefense advisory can be accessed from the following link: http://www.idefense.com/intelligence/vulnerabilities/
 
If the LDAP server task is running on the Domino server and a malformed request is submitted to the LDAP server for processing, it may cause a buffer overflow, resulting in a server crash.


3. Lotus Domino Web Access Cross-Site Scripting Vulnerability
iDefense contacted IBM Lotus to report a potential cross site scripting vulnerability in Domino Web Access.

The iDefense advisory can be accessed from the following link: http://labs.idefense.com/intelligence/vulnerabilities/
 
The Active Content Filter feature, which protects users from potentially malicious code execution upon reading mail in the browser, needed to be updated to account for a particular circumstance.

Technical article IBM Notes IBM Domino IBM Notes Traveler Security

Sie haben Fragen zu diesem Artikel? Kontaktieren Sie uns gerne: blog@assono.de

Do you want an individual solution? Contact us

More interesting entries

Any questions? Contact us.

If you want to know more about our offers, you can contact us at any time. There are several ways to contact us for a non-binding first consultation.

We don’t sell your data. 100% guaranteed. See: Privacy Policy
assono GmbH

Location Kiel (headquarters)
assono GmbH
Lise-Meitner-Straße 1–7
24223 Schwentinental

Location Hamburg
assono GmbH
Bornkampsweg 58
22761 Hamburg

Phone numbers:
Human resources department: +49 4307 900 407
Marketing department: +49 4307 900 402

E-Mail adresses:
contact@assono.de
bewerbung@assono.de