ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

 
Bill Malchisky
 

Archives

    Find me here…

  • Skype
  • Bleedyellow via Sametime
  • Integer Overflow Vulnerability Identified in IBM Notes via Pixman Library

    Bill Malchisky  July 11 2016
    Although this vulnerability will not affect everyone, in talking with my customer's AVL, I decided to post it. The CVE description indicates, "Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values." The risk is low but real. Fortunately, the fix is easy.

    The risk profile for CVE-2014-9766 is available here, IBM's Security Bulletin for CVE-2014-9766 is available here, and the IBM X-Force Exchange vulnerability report indicates this has a CVSS 3.0 base score of 7.3. Read the X-Force Exhance report here.

    Within IBM Notes the aspect in-scope is IBM Expeditor version 6.2.3 and 9.0.1 (Notes client specific). This affects the following versions of IBM Notes:
    IBM Notes 9.0.1 FP5 and earlier release
    IBM Notes 9.0 IF4 and earlier release
    IBM Notes 8.5.3 FP6 IF10 and earlier release
    IBM Notes 8.5.2 FP4 IF3 and earlier release
    IBM Notes 8.5.1 FP5 IF3 and earlier release
    IBM Notes 8.5 release

    To address, simply
    Notes 9.0.1 -> Get the latest Fix Pack
    Notes 8.5.3 -> Get FP6 IF11 or above

    More good news, IBM is willing to create a custom fix for customers with different version of Notes. So, if you have a business justification to stay with 9.0.x for example, contact IBM support or your AVL about a resolution.

    Good luck. Stay safe.



    Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

    © 2010 William Malchisky.