You are here

U-024: IBM Lotus Sametime Configuration Servlet Lets Remote Users Obtain Configuration Data

November 1, 2011 - 8:15am

Addthis

PROBLEM:

IBM Lotus Sametime Configuration Servlet Lets Remote Users Obtain Configuration Data.

PLATFORM:

All Sametime Platforms : 7.0, 7.5, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.2

ABSTRACT:

A remote user can obtain configuration information.

reference lINKS:

IBM Sametime Security Bulletin
SecurityTracker Alert ID: 1026255
CVE-2011-1370

IMPACT ASSESSMENT:

Medium

Discussion:

The Sametime server contains a configuration servlet that is accessed by several Sametime server processes. By default, this servlet does not require authentication, which could potentially allow an unauthorized user to obtain read access to configuration data. Administrators are advised to protect this servlet by configuring Sametime to require authentication to this servlet.

Impact:

A remote user can obtain configuration information. Configuration servlet.

Solution:

The vendor has described a fix, IBM Sametime Security Documentation:
Sametime Advanced 8.5.2. Sametime Advanced 8.5.1

Addthis