IBM Plugs Two Holes in Lotus Domino Security

IBM has patched two vulnerabilities uncovered last year in its Lotus Domino product line.

Both vulnerabilities were fixed in Lotus Domino 6.5.6 and 7.0.2 Fix Pack 1. Last August, Sterling, Va.-based iDefense Labs reported a cross-site scripting vulnerability affecting IBM Lotus Domino Web Access, a Web-based messaging and collaboration interface for the Lotus Domino server.

"The vulnerability specifically exists due to improper HTML filtering of e-mail message contents. Although Web Access attempts to filter out HTML and script code, certain code sequences will bypass the filters and successfully execute JavaScript," according to iDefense.

IBM officials stated in an advisory that the Active Content Filter feature needed to be updated to thwart the attack.

The second flaw is a heap overflow vulnerability affecting IBM Lotus Domino Server software, which provides messaging and scheduling capabilities on a number of operating systems. If a hacker were to exploit the vulnerability in the directory service (LDAP) component of IBM's Lotus Domino Server 7.0.1 remotely, the hacker could cause a denial of service or execute arbitrary code. It was reported to IBM by iDefense in October.

"When a malformed request is made to the LDAP component of a Lotus Domino Enterprise Server, a heap overflow can be triggered," according to a security alert posted by iDefense. "The vulnerability specifically exists in the handling of strings larger than 65,535 bytes. When a string longer than this value is encountered, the service allocates memory using only the lower 16 bits of the string length. Since the entire string is subsequently copied into the newly allocated buffer, a heap-overflow occurs."

Although the service does not run as root, it does run as the same user as many other components of the Lotus Domino Server and therefore an attacker may gain access to sensitive information or subvert the server. In order to attempt exploitation, however, attackers must be able to connect to the LDAP service, according to the iDefense advisory.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

IBM Announces New Products and Initiatives to Enable Next-Generation Linux
At the opening of the LinuxWorld tradeshow today, IBM introduced a series of new products, services and initiatives that further expand IBM's commitment to Linux and open source by enabling the next generation of Linux.
IBM Ships Lotus Notes and Domino 8
IBM announced that after two years in development and testing by more than 25,000 businesses around the world, Lotus Notes 8 and Lotus Domino 8 will be generally available today, Friday, August 17. IBM Lotus Notes 8 and IBM Lotus Domino 8 represents the industry's first enterprise collaboration solution largely designed with input from its customers.
NTT DoCoMo to Start Marketing Japanese Support for BlackBerry
NTT DoCoMo announced today that it will begin marketing Research In Motion's BlackBerry 8707h with Japanese-language support on July 23.
IBM, 3Com Collaborate on VOIP
The two vendors are integrating IP telephony with e-mail, messaging and core business process applications in a new offering based on IBM's System i server platform.
IBM Announces Public Beta for Lotus Notes and Domino 8
IBM today announced that users can now download and try IBM Lotus Notes and Domino 8, a next generation email and collaboration platform that helps users streamline daily business tasks that run across a variety of computing platforms and technology software systems.
Wireless World: PDA makers eye small firms
Christopher Bennett started two small businesses this year and recently made the executive decision to drop the BlackBerry wireless device he had been using to communicate with his clients and his partner. The entrepreneur switched to another wireless data carrier and now uses the Motorola Q smart gadget.
Intel's Core Microarchitecture Sets New Records in Performance and Energy Efficiency
Intel today disclosed record breaking results on 20 key dual-processor (DP) server and workstation benchmarks. The first processor due to launch based on the new Intel Core microarchitecture — the Dual-Core Intel Xeon processor 5100 series, previously codenamed “Woodcrest” — delivers up to 125 percent performance improvement over previous generation dual-core Intel Xeon processors and up to 60 percent performance improvement over competing x86-based architectures, whilst also delivering performance per watt leadership.
Palm and Research In Motion Bring BlackBerry Connect to the Treo 650 Smartphone
Palm, Inc. and Research In Motion (RIM) today announced that they are working together to bring BlackBerry Connect to the Palm Treo 650 smartphone. The companies expect the solution to be available in the United States and internationally starting in early calendar 2006.

IBM Plugs Two Holes in Lotus Domino Security

Related stories:

News discussion: