[alert]Security Bulletin: IBM Lotus Notes & Domino affected by vulnerabilities in IBM JRE (CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823)[/alert]


IBM Lotus Notes and IBM Lotus Domino are vulnerable to four Java exploits where malicious agents, applets, or XPages applications can escalate privileges. These vulnerabilities are in the IBM Java SDK.


​For information about the impact of this vulnerability on other affected IBM products, ​refer to this post​ on the Product Security Incident Reporting Team (PSIRT) blog.

CVE IDs: CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823


There are a number of vulnerabilities in the IBM Java SDK versions that affect various components (ORB, XML and JMX). The vulnerabilities allow code running under a security manager to escalate its privileges by modifying or removing the security manager. Some of the issues need to be combined in sequence to achieve an exploit.

An attacker could persuade a user into running Java code from an untrusted, malicious source resulting in privilege escalation. The attacker must convince the Notes user to click on a malicious Notes:// URL which, in turn, runs a Java agent, applet or XPages application. The attack against the Domino server can be exploited only by an authenticated user with the rights to run LotusScript or Java agents on the server.

Affected Plattform: Lotus Notes 8.0.X, 8.5, 8.5.X, 8.5.3 FP3

Fix : 8.5.3 FP3 or security patch


Schreibe einen Kommentar