
====================================================================

                               CERT-Renater

                    Note d'Information No. 2016/VULN258
_____________________________________________________________________

DATE                : 17/06/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running IBM Notes version 8.5, 8.5.1.5,
      8.5.2.4, 8.5.3.6, 9.0, 9.0.1.5 prior to 9.0.1 FP6, 8.5.3 FP6 IF10.

======================================================================
http://www.ibm.com/support/docview.wss?uid=swg21982277
____________________________________________________________________

Security Bulletin: Vulnerabilities in IBM Notes KeyView PDF Filters
(CVE-2016-0301, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277)

Security Bulletin

Document information

More support for:

IBM Notes

Security

Software version:

8.5, 8.5.1.5, 8.5.2.4, 8.5.3.6, 9.0, 9.0.1.5

Operating system(s):

Linux, OS X, Windows

Reference #:

1982277

Modified date:

2016-06-15


Summary

Multiple vulnerabilities observed in PDF filter of KeyView as
used by IBM Notes.

Vulnerability Details

CVEID:

CVE-2016-0277


DESCRIPTION:

IBM Domino is vulnerable to a heap-based buffer overflow, caused by
an error in the KeyView PDF filter when parsing a PDF document. By
persuading a victim to open a specially-crafted attachment, a remote
attacker could overflow a buffer and execute arbitrary code on the
system or cause the application to crash.

CVSS Base Score: 7.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/111136

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:

CVE-2016-0278


DESCRIPTION:

IBM Domino is vulnerable to a heap-based buffer overflow, caused by
an error in the KeyView PDF filter when parsing a PDF document. By
persuading a victim to open a specially-crafted attachment, a remote
attacker could overflow a buffer and execute arbitrary code on the
system or cause the application to crash.

CVSS Base Score: 7.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/111137

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:

CVE-2016-0279


DESCRIPTION:

IBM Domino is vulnerable to a heap-based buffer overflow, caused
by an error in the KeyView PDF filter when parsing a PDF document.
By persuading a victim to open a specially-crafted attachment, a
remote attacker could overflow a buffer and execute arbitrary code
on the system or cause the application to crash.

CVSS Base Score: 7.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/111138

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:

CVE-2016-0301


DESCRIPTION:

IBM Domino is vulnerable to a heap-based buffer overflow, caused by
an error in the KeyView PDF filter when parsing a PDF document. By
persuading a victim to open a specially-crafted attachment, a remote
attacker could overflow a buffer and execute arbitrary code on the
system or cause the application to crash.


CVSS Base Score: 7.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/111413

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


Affected Products and Versions

IBM Notes 9.0.1 FP5 IF3 and earlier releases

IBM Notes 8.5.3 FP6 IF9 and earlier releases

IBM Notes 9.0 IF4 and earlier releases

IBM Notes 8.5.2 FP4 IF3 and earlier releases

IBM Notes 8.5.1 FP5 IF3 and earlier releases

IBM Notes 8.5 release


Remediation/Fixes


Product                      Version         Link
IBM Notes                    9.0.1 FP6
http://www-01.ibm.com/support/docview.wss?uid=swg24037141

IBM Notes                    8.5.3 FP6 IF10
http://www-01.ibm.com/support/docview.wss?uid=swg21663874

IBM Notes MUI Upgrade Packs  9.0.1 FP6
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FLotus%2FLotus+Notes&fixids=NOTES_901FP6_KEYVIEW_MUI_UPDATE_1022

IBM Notes MUI Upgrade Packs  8.5.3 FP6 IF10
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FLotus%2FLotus+Notes&fixids=NOTES_853FP6_KEYVIEW_MUI_UPDATE_1022

Customers who remain on the following releases may open a Service
Request with IBM Support and reference SPRs KLYHA73QUC, KLYHA73R7L,
KLYHA73RBN and SSGEA7HBW9 to inquire about custom fixes.


IBM Notes 9.0.1 FP5 IF3 and earlier releases

IBM Notes 9.0 IF4 and earlier releases

IBM Notes 8.5.3 FP6 IF9 and earlier releases

IBM Notes 8.5.2 FP4 IF3 and earlier releases

IBM Notes 8.5.1 FP5 IF3 and earlier releases

IBM Notes 8.5 release


NOTES:

In addition to the above listed releases, if customers need remediation
fixes for MUI, they can request custom MUI fixes on top of the above by

opening a Service Request with IBM Support

To use any of the above versions, KeyView fixes provided in relevant
versions mentioned in the above table must be incorporated.


Workarounds and Mitigations

Users can work around these issues by "Opening" the PDF attachment
(which will use Adobe Acrobat) instead of "Viewing" the attachment.
Furthermore, users can also disable the KeyView PDF viewer.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.


References

Complete CVSS v3 Guide

On-line Calculator v3


Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Security Bulletin: Vulnerabilities in IBM Domino Keyview PDF Filters
(CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277)

(technote 1983292)


Acknowledgement

This vulnerability was reported to IBM by Aleksandar Nikolic of Cisco
Talos.


Change History

6/15: Initial publication.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the
links in the Reference section of this Security Bulletin.


Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open
standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS
SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR
POTENTIAL SECURITY VULNERABILITY.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================