IBM Support

Fix available for potential security vulnerability in IBM Sametime

Fix Readme


Abstract

A fix is available for a security vulnerability that has been identified for IBM Sametime clients. This vulnerability could allow a remote attacker to send commands in a specially crafted way in a Sametime IM chat to a user. The issue exists in both the Sametime rich client (Sametime Connect or embedded Sametime in Notes) and web client.

Content

A fix is available that removes the vulnerability for both the rich client and the web client. SPR# KBIM8T2KWR has been created to report this issue; see also "Security Bulletin: Sametime Client Vulnerability". If you have questions about downloading and applying this fix, you are invited to make use of the IBM Sametime forum to post questions and share tips.

Contents:

  • Affected client types
  • Fix download links
  • Installation instructions


Affected client types





This potential vulnerability affects the following Sametime clients: For specific versions affected, refer to the fix tables below.

The following client types are not affected by this issue:
  • Sametime Mobile clients
  • STLinks integration
  • Sametime version 8.0.1, 8.0.0 or 7.5.1 of all rich clients (Notes embedded and stand-alone)
  • Embedded Sametime in Notes 8.5.3 FP2 client
  • Notes Basic clients
  • Proxy 8.5 SDK clients
  • Clients using Sametime Gateway connecting to a third-party IM gateway

You can use the following technote to identify what embedded version is in use in your Notes environment: "What Sametime client versions are embedded in what Notes client versions?" (1370003).


Fix download links





The fix for this security vulnerability is posted to IBM Fix Central. Refer to the tables below for direct links to the fix by client type and version.

For Sametime Connect client (stand-alone)

Sametime version (shipped in the box)Fix delivery vehicle
8.0.28.0.2.0-ST-Client-FP-CDLL-8WG5UB
8.5.1, 8.5.1.18.5.1.0-ST-Client-FP-CDLL-8WG6NE
8.5.2, 8.5.2.18.5.2.1-ST-Client-FP-CDLL-8WWKB2

For embedded Sametime in Notes (Shipped in the box)

ClientSametime version (shipped in the box)Fix delivery vehicle
Notes 8.5.18.0.2 Notes_851FP5IF3_Standard_W32
Notes 8.5.28.0.2 Notes_852FP4IF2_Standard_W32
Notes 8.5.38.5.1 8.5.3 Fix Pack 2 Incremental Installers

For embedded Sametime in Notes, updated by use of the add-on installer (Not shipped in the box)

ClientSametime version (shipped in the box)Add-on installerFix delivery vehicle
Notes 8.5.18.0.2 Sametime 8.5.1, 8.5.1.18.5.1.0-ST-Client-FP-CDLL-8WG6NE
Notes 8.5.28.0.2 Sametime 8.5.1, 8.5.1.1
Sametime 8.5.2, 8.5.2.1
8.5.1.0-ST-Client-FP-CDLL-8WG6NE
8.5.2.1-ST-Client-FP-CDLL-8WWKB2
Notes 8.5.38.5.1 Sametime 8.5.2, 8.5.2.18.5.2.1-ST-Client-FP-CDLL-8WWKB2

For Sametime Proxy Server and Web client

Sametime Proxy Server version Fix delivery vehicle
8.58500-ST-Proxy-IF-OOSN-8VHFH6
8.5.1.18511-ST-Proxy-IF-OOSN-8VHF6R
8.5.2.1ST-Proxy-IF-AGRE-94AF9F

For Sametime Gateway to Sametime Gateway connections

To address the vulnerability for Sametime Gateway to Sametime Gateway connections, you apply the fix for the clients that are accessing the Sametime Gateway.


Installation instructions




The steps to apply the fix vary by client type and version, as follows:
  • Sametime Connect 8.0.2
  • Sametime Connect 8.5.1 and embedded Sametime 8.5.1
  • Sametime Connect 8.5.2 and embedded Sametime 8.5.2
  • Lotus Notes 8.5.1, 8.5.2 and 8.5.3
  • Sametime Proxy Server 8.5
  • Sametime Proxy Server 8.5.1.1
  • Sametime Proxy Server 8.5.2 IFR 1



Sametime Connect 8.0.2

Use the following steps to update a single Sametime Connect 8.0.2 client:

1. Unzip "sametime.patches.update.site.20120504.0400.zip" to a local directory.
2. Launch the Sametime Connect client and log in.
3. Select Tools -> Plug-ins > Install Plugins...
4. In the update manager wizard, select "Search for new features to install", then click Next.
5. Select "Add Folder Location...". Navigate to the "updateSite" directory underneath the location where "sametime.patches.update.site.20120504.0400.zip" was unzipped.
6. Click OK to accept the site, and then click Finish to proceed.
7. In the "Select Features to Install" box, check all feature patches.
8. Click Next, complete the license page, and click Finish.
9. Select "Install" on the next page.
10. After the feature is installed, you should be prompted to restart. Select OK.

For deployment to multiple clients, refer to following document about setting up automatic updates: Adding optional features to the client after install



Sametime Connect 8.5.1 and embedded Sametime 8.5.1

The Sametime Connect 8.5.1 cumulative fix package is available in the form of install packages for Windows (windows.zip), Mac (macosx.zip), and Linux (linux.zip).

The following table outlines the install packages by operating system and client type:
Operating systemClient typePackage nameDescription
WindowsSametime Connect 8.5.1 stand-alonesametime.hotfix.win32.no.oi_20120414-1745.exeWindows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.1 without OI (Office Integration) features
sametime.hotfix.win32_20120414-1745.exeWindows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.1 with OI (Office Integration) features
embedded Sametime in Notes 8.5.1 Fix Pack 2 or latersametime.embedded.addon.win32_20120414-1745.exeWindows self-extracting executable containing MSI install files to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
Mac OSXSametime Connect 8.5.1 stand-alonesametime.hotfix.macosx_20120414-1745.tarSingle TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.1 Fix Pack 2 or latersametime.embedded.addon.macosx_20120414-1745.tarSingle TAR compressed file containing the Mac PKG install package to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
LinuxSametime Connect 8.5.1 stand-alonesametime-hotfix-8.5.1-20120414.2015.i586.rpmLinux RPM install package to fix stand-alone Sametime Connect
sametime-hotfix-8.5.1-20120414.2015.i386.debLinux Debian install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.1 Fix Pack 2 or latersametime-connect-embedded-8.5.1-20120414.2015.i586.rpm
sametime-connect-embedded-core-8.5.1-20120414.2015.i586.rpm
Two Linux RPM install packages to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
sametime-connect-embedded-8.5.1-20120414.2015.i386.deb
sametime-connect-embedded-core-8.5.1-20120414.2015.i386.deb
Linux Debian install packages to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later


Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32.no.oi_20120414-1745.exe file.
1. Close the Sametime client if it is running
2. Launch the fix install executable: sametime.hotfix.win32.no.oi_20120414-1745.exe
3. When the Language dialog appears, select the language and click Next
4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it
5. Click Install to begin the installation
6. When the install completes, click Finish

For Notes 8.5.1 Fix Pack 2 or later client, run the sametime.embedded.addon.win32_20120414-1745.exe file. The dialog and steps are similar to those above.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.



Sametime Connect 8.5.2 and embedded Sametime 8.5.2

The Sametime Connect 8.5.2 cumulative fix package is available in the form of install packages for Windows (windows.zip), Mac (macosx.zip), and Linux (linux.zip).

The following table outlines the install packages by operating system and client type:
Operating systemClient typePackage nameDescription
WindowsSametime Connect 8.5.2 stand-alonesametime.hotfix.win32.no.oi_20120803-1300.exeWindows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.2 without OI (Office Integration) features
sametime.hotfix.win32_20120803-1300.exeWindows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.2 with OI (Office Integration) features
embedded Sametime in Notes 8.5.2sametime.embedded.addon.win32_20120803-1300.exeWindows self-extracting executable containing MSI install files to fix embedded Sametime in Notes 8.5.2
Mac OSXSametime Connect 8.5.2 stand-alonesametime.hotfix.macosx_20120803-1300.tarSingle TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.2 or latersametime.embedded.addon.macosx_20120803-1300.tarSingle TAR compressed file containing the Mac PKG install package to fix embedded Sametime in Notes 8.5.2 or later
LinuxSametime Connect 8.5.2 stand-alonesametime-hotfix-8.5.2-20120803.1615.i586.rpmLinux RPM install package to fix stand-alone Sametime Connect
sametime-hotfix-8.5.2-20120803.1615.i386.debLinux Debian install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.2 or latersametime-connect-embedded-8.5.2-20120803.1615.i586.rpm
sametime-connect-embedded-core-8.5.2-20120803.1615.i586.rpm
Two Linux RPM install packages to fix embedded Sametime in Notes 8.5.2 or later
sametime-connect-embedded-8.5.2-20120803.1615.i386.deb
sametime-connect-embedded-core-8.5.2-20120803.1615.i386.deb
Linux Debian install packages to fix embedded Sametime in Notes 8.5.2 or later


Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32.no.oi_20120803-1300.exe file.
1. Close the Sametime client if it is running
2. Launch the fix install executable: sametime.hotfix.win32.no.oi_20120803-1300.exe
3. When the Language dialog appears, select the language and click Next
4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it
5. Click Install to begin the installation
6. When the install completes, click Finish

For Notes 8.5.2 or later client, run the sametime.embedded.addon.win32_20120803-1300.exe file. The dialog and steps are similar to those above.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.



Notes 8.5.1, 8.5.2 and 8.5.3

Shut down the Notes client, and double-click the executable fix file. Fixes for Windows only are posted to IBM Fix Central. If you need the fix for Mac or Linux platforms, open a service request with IBM Support.



Sametime Proxy Server 8.5

1. Download the fix 8500-ST-Proxy-IF-OOSN-8VHFH6 from IBM Fix Central
2. Stop the STProxy Server
3. Create a backup of /IBM/WebSphere/AppServer/profiles/<STProxyProfile>/optionalLibraries/stproxy/stproxyservices.jar
4. Copy stproxyservices.jar to /IBM/WebSphere/AppServer/profiles/<STProxyProfile>/optionalLibraries/stproxy


5. Restart the STProxyServer



Sametime Proxy Server 8.5.1.1

Download the fix 8511-ST-Proxy-IF-OOSN-8VHF6R from IBM Fix Central.

  • STProxyHotfix.zip contains the update to be applied.
  • Instructions are provided in the readme.txt included in the fix package.
  • The STProxy Server needs to be stopped prior to the update being applied.



Sametime Proxy Server 8.5.2 IFR1

There is a newer Cumulative Hotfix available for Sametime Proxy 8.5.2 IFR 1 that contains these fixes. Please refer to technote # 1623979 for the latest information.

Prerequisite: The Sametime System Console must be at version 8.5.2 IFR 1. If not, then you will see a failure message during the fix install noting an incorrect version level. Refer to Installing Sametime 8.5.2 Interim Feature Release 1 on the Sametime System Console to get started.

This fix must be installed on top of a Sametime Proxy Server 8.5.2 Interim Feature Release 1 (IFR 1). If the server is running 8.5.2 (without the IFR 1 fix), then the IFR 1 fix will be automatically installed.

To install this fix on a Sametime Proxy Server node, follow these steps:

1. Download the fix ST-Proxy-IF-AGRE-94AF9F from IBM Fix Central

2. Shut down the Sametime Proxy Server

3. Copy the file you downloaded onto the Sametime Proxy Server

4. Unzip the file on the server file system

5. Apply the fix by running the appropriate update command:

  • If running on the Microsoft Windows operating system, run the update.bat batch file
  • If running on the AIX, Linux or Solaris operating systems, run the update.sh script
  • If running on IBM i, run the IBMi\stii_sp\install_stp.sh script

6. Follow the instructions on screen until the installation completes

If you are running a multi-node (cluster) configuration, then repeat these instructions on each node.

Internal Use Only

Security SPR KBIM8T2KWR

Discussion points / Internal Q&A

Any conversation around this topic should be proactive and informative. This message should be delivered in such a manner as not to raise unnecessary concerns or give potential hackers insight into how to exploit the issue. For example, many customers might host a Sametime infrastructure that is restricted to the intranet within their organization. For these customers, the risk of exposure would be limited to internal-only users.

Below is a response to some of the questions that have been previously raised or anticipated. For additional questions or feedback, customers should engage IBM Support through normal channels or via their trusted advisor.

Q1) Is the fix already included in the embedded Sametime client that ships with Notes 8.5.3FP2?
A) Yes, the fix for this issue was included with the build of embedded Sametime that shipped with 8.5.3FP2. This information has now been posted in the technote to reflect that it is one of the client types not affected.

Q2) Is Notes 8.0.2 with embedded ST client impacted by this vulnerability?
A) Notes 8.0.2 (base version) ships with ST embedded version 8.0, therefore these clients would not be impacted. This technote describes the versions of Sametime embedded that are not affected ("Sametime version 8.0.1, 8.0.0 or 7.5.1 of all rich clients"), and customers can use technote 1370003 to identify what version of Sametime is in use in their out of the box Notes client.

Please note, it is possible for a customer to have upgraded their embedded Sametime client within Notes to a version that is affected, so customers should identify what version of Sametime embedded is in use in their Notes environment and determine if they have any impacted clients.

Q3) Are there any builds prior to 7.5.1 that are impacted? We have a few customers with a support extension for earlier versions of Notes/Sametime who will need to know if they are affected.
A) There are no known builds prior to 8.0.2 which are impacted by this issue.

Q4) Does this issue impact embedded ST in the Notes Basic client?
A) No, Notes Basic clients use a build of Sametime that is not affected. This issue only impacts the rich clients; Notes Standard configuration uses a rich Sametime client which could include an affected Sametime version. See tables above.

Q5) What is the hotfix delivery vehicle for embedded ST within Notes (Notes CHF vs Sametime hotfix)?
A) The Sametime fix will be made available both through a Sametime-specific hotfix install package and also as an interim Notes hotfix for Notes 851FP5 & 852FP4 . This provides customers with the ability to choose how they will deploy the embedded ST fix - either using the Sametime-specific fix or the Notes interim fix. The ST hotfix will be cumulative, including other Sametime-specific fixes in the respective ST codestream, but will not include any Notes-specific fixes and does not change the Notes build/version.

Q6) Are Sametime Gateway users exposed to this vulnerability?
A) Sametime Gateway users are exposed in the same manner as non-Gateway users. Users with an affected Sametime client are encouraged to apply the fix to address other methods of exploiting this vulnerability within the Sametime environment.

Q7) Are there any language-specific fixes required or can the fix be installed regardless of the language used?
A) This issue is language agnostic and the fix will works across languages.

Q8) If a customer is using Sametime integration within iNotes, would these users be impacted by this issue?
A) There are 2 ways to integrate Sametime into iNotes: using STLinks integration or by setting up Sametime Proxy integration (available starting in iNotes 8.5.3). As documented in the technote, STLinks is one client types that is not affected by this issue, so there is no action required for this type of configuration. If the customer is using STProxy integration, the appropriate fix should be applied on the Sametime Proxy server.

[{"Product":{"code":"SS5LUA","label":"Lotus End of Support Products"},"Business Unit":{"code":"BU003","label":"Collaboration Solutions"},"Component":"IBM Sametime","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF033","label":"Windows"}],"Version":"8.5.2.1;8.5.2;8.5.1.1;8.5.1;8.0.2","Edition":""}]

Document Information

Modified date:
16 June 2018

UID

swg21599114