SB2014013101 - Multiple vulnerabilities in IBM Sametime

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2013-3984)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not set the secure flag for an unspecified cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0906)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not check whether a session cookie is current, which allows remote attackers to conduct user-search actions by leveraging possession of a (1) expired or (2) invalidated cookie.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-6727)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Connect client in IBM Sametime 8.5.2 through 8.5.2.1 and 9.0 before HF1 does not properly restrict unsigned Java plugins, which allows remote attackers to obtain sensitive information via unspecified vectors.

Remediation

Install update from vendor's website.

References

• http://www-01.ibm.com/support/docview.wss?uid=swg21671201
• https://exchange.xforce.ibmcloud.com/vulnerabilities/84967
• https://exchange.xforce.ibmcloud.com/vulnerabilities/91854
• http://www-01.ibm.com/support/docview.wss?uid=swg21662725
• https://exchange.xforce.ibmcloud.com/vulnerabilities/89282