|
IBM Lotus Notes Java Applet Signature Execution Control List Security Bypass
|
|
|
|
|
Secunia Advisory:
|
SA29031
|
|
|
Release Date:
|
2008-02-20
|
|
Last Update:
|
2008-02-26
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Workaround
|
|
| Software: | IBM Lotus Notes 6.x
IBM Lotus Notes 7.x
IBM Lotus Notes 8.x
|
| | CVE reference: | CVE-2008-0862 (Secunia mirror)
|
|
|
|
|
|
Description:
A security issue has been reported in IBM Lotus Notes, which can be exploited by malicious people to bypass certain security mechanisms.
The problem is that it is possible to bypass the ECL (Execution Control List ) mechanism when e.g. a user who receives a mail containing an unsigned java applet forwards the mail to another user, which causes the unsigned applet to be signed by the original user.
Successful exploitation requires that the recipient of the forwarded mail has the "Enable Java Applets" option enabled, the ECL configured to allow the sender to execute Java, and that the sender is trusted to sign Java applets.
The security issue affects versions 6.0, 6.5, 7.0, and 8.0.
Solution:
The vendor recommends disabling the "Enable Java Applets" option or using a trusted signature for all Java Applets.
Provided and/or discovered by:
The vendor credits David Gloede.
Changelog:
2008-02-26: Added CVE reference.
Original Advisory:
http://www-1.ibm.com/support/docview.wss?uid=swg21257250
Extended Solution:
The "Extended Solution" section is available for Secunia customers only. Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
19 Related Secunia Security Advisories, displaying 10
|
|
|
1. IBM Lotus Notes Java Plug-in Sandbox Security Bypass
|
|
2. Lotus Notes Multiple Keyview Parsing Vulnerabilities
|
|
3. IBM Lotus Notes Client for Linux Insecure File Permissions
|
|
4. IBM Lotus Notes 5 / 6 Lotus 1-2-3 File Viewer Buffer Overflows
|
|
5. IBM Lotus Notes Lotus 1-2-3 File Viewer Buffer Overflows
|
|
6. IBM Lotus Notes Insecure Default Directory Permissions
|
|
7. IBM Lotus Notes File Viewer Buffer Overflow Vulnerabilities
|
|
8. IBM Lotus Notes Multiple Vulnerabilities
|
|
9. Lotus Notes Deleted Mail Recipient Security Issue
|
|
10. IBM Lotus Notes Insecure Default Directory Permissions
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
