|
Description
|
|
Multiple vulnerabilities have been reported in IBM Notes and IBM Domino, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The product bundles a vulnerable version of Dojo Toolkit.
For more information:
SA62590
2) An integer overflow error when parsing BMP images can be exploited to cause a stack-based buffer overflow via a specially crafted BMP image.
3) A boundary error when handling colour palette in BMP images can be exploited to cause a stack-based buffer overflow via a specially crafted BMP image.
Successful exploitation of the vulnerabilities #2 and #3 may allow execution of arbitrary code.
The vulnerabilities are reported in the following products and versions:
* IBM Domino versions prior to 9.0.1 Fix Pack 3 Interim Fix 3 and 8.5.3 Fix Pack 6 Interim Fix 7.
* IBM Notes versions prior to 9.0.1 Fix Pack 3 Interim Fix 4 and 8.5.3 Fix Pack 6 Interim Fix 6.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
IBM Domino (formerly IBM Lotus Domino) 9.xIBM Lotus Domino 8.xIBM Lotus Notes 8.xIBM Notes (formerly IBM Lotus Notes) 9.x
|
|
|
|
|
|
Solution
|
|
Update to a fixed version.IBM Domino:Update to version 9.0.1 Fix Pack 3 Interim Fix 3 or 8.5.3 Fix Pack 6 Interim Fix 7.IBM Notes:Update to version 9.0.1 Fix Pack 3 Interim Fix 4 or 8.5.3 Fix Pack 6 Interim Fix 6.
|
|
|
|
|
|
CVE
|
|
CVE-2015-1903
CVE-2015-1902
CVE-2014-8917
|
|
|
|
|
|
References
|
|
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21883245
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-15-193/
http://www.zerodayinitiative.com/advisories/ZDI-15-194/
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
