Description:
IBM has published a security bulletin to address a vulnerability related to Apache Commons Collections used in Domino/Notes when handling Java object deserialization in the InvokerTransformer class. An attacker could send specially crafted data to affected system to execute arbitrary Java code.
Affected Systems:
- IBM Domino 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 3
- IBM Domino 9.0.0x
- IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 10
- IBM Domino 8.5.2x, 8.5.1x
- IBM Notes 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 2
- IBM Notes 9.0.0x
- IBM Notes 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 6
- IBM Notes 8.5.2x, 8.5.1x
Impact:
Successful exploitation could lead to arbitrary code execution.
Recommendation:
The vendor has released fixes to address the issue and they can be downloaded at the following URL:
- Java patch installer for Notes & Domino 9.0.1 Fix Pack 5
http://www-01.ibm.com/support/docview.wss?uid=swg24037141
- Java patch installer for Notes 9.0.1 Fix Pack 5 Interim Fix 1 (Windows only)
http://www.ibm.com/support/docview.wss?uid=swg21657963
- Java patch installer for Notes & Domino 8.5.3 Fix Pack 6 Interim Fixes
http://www.ibm.com/support/docview.wss?uid=swg21663874
More Information:
http://www-01.ibm.com/support/docview.wss?uid=swg21971751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7450