IBM Support

Security Bulletin: Potential Security Exposure in IBM Lotus Sametime Configuration Servlet (CVE-2011-1370)

Flashes (Alerts)


Sametime configuration servlet may allow third party access to configuration data unless authentication is enabled.



Sametime configuration servlet may allow third party access to configuration data unless authentication is enabled.


CVE ID: CVE-2011-1370:

DESCRIPTION: The Sametime server contains a configuration servlet that is accessed by several Sametime server processes. By default, this servlet does not require authentication, which could potentially allow an unauthorized user to obtain read access to configuration data. Administrators are advised to protect this servlet by configuring Sametime to require authentication to this servlet.

CVSS Base Score: 5.0
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

All Sametime Platforms


It is recommended that all Sametime installations immediately secure this servlet by following the instructions below.
Administrators should also take steps to update the passwords on all credentials that are stored within the Sametime configuration database.

Sametime Development currently plans to establish authentication as the default setting of this servlet in a future release.


The steps to secure these servlets are as follows:

1. Setting authentication requirement on Sametime configuration servlet (SCS)

Follow the steps in Configuration servlet does not require authentication as a default (#1569209) to set the authentication requirement.

2. Confirming/Updating connection properties in SSC Configuration for Community servers (if applicable)

Once you have enabled authentication to the servlet, you need to update the connection properties and confirm that you can administer the server(s) from the Sametime System Console.

If you are unable to administer them, see the following documentation to update and/or set the connection properties:

Sametime 8.5.1.x Information Center "Updating Sametime Community Server connection properties on the console"

Sametime 8.5.2 product documentation "Updating Sametime Community Server connection properties on the console"

Known issues or limitations once authentication is enabled

When upgrading community servers, you might get a warning that registration of the upgrade failed.
Manual registration of Sametime Community Servers and Clusters with the Sametime System Console might not work.


SSL can be enabled to further protect the data when it is actively being accessed by administration functions. If your Sametime Community Servers are accessible from the Internet, then this step is highly recommended.

Enabling SSL

a. Follow the Domino configuration steps to enable HTTPS on the Domino server(s):

Setting up SSL on a Domino server

Quick guide to setting up SSL using Domino as the Certificate Authority (# 1114148)

b. Then follow these steps on configuring Sametime to use SSL:

Sametime 8.5.2 product documentation "Preparing Sametime to use SSL"

Sametime 8.5.1.x Information Center "Preparing Lotus Sametime to use SSL"

c. If applicable, import the Domino SSL Certificate into the Sametime System Console default trust store, as follows:

Sametime 8.5.2 product documentation "Adding a Sametime server SSL certificate to the Sametime System Console"

Sametime 8.5.1.x Information Center "Adding a Sametime server SSL certificate to the Sametime System Console"


· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database - IBM Lotus Sametime Configuration Servlet information disclosure
· CVE-2011-1370

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SS5LUA","label":"Lotus End of Support Products"},"Business Unit":{"code":"BU003","label":"Collaboration Solutions"},"Component":"IBM Sametime","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.2;;8.5.1;8.5;8.0.2;8.0.1;8.0;;;7.5.1;7.5;7.0","Edition":""}]

Document Information

Modified date:
16 June 2018