Here’s a collection of recent security vulnerabilities and alerts, which include vulnerabilities discovered in Lotus Notes and Domino as well as multiple SQL-injection vulnerabilities discovered in Oracle interMedia.
- Vulnerabilities discovered in Lotus Notes and Domino
The discovered vulnerabilities could allow attackers to inject and execute arbitrary code on systems running the above. IBM has released updated versions of the software that fixes the bugs.
The four vulnerabilities involve Notes’ IMAP service; its scripting language, LotusScript; the Domino server’s command console; and how both Notes and Domino map memory in Windows when they’re used in a shared environment such as Citrix.
Additional reading from heise Security:
- Buffer overflow vulnerability in Lotus Notes file viewers (.wpd, .sam, .doc, and .mif), security advisory from IBM
- Lotus Domino IMAP buffer overflow vulnerability, security advisory from IBM
- Evaluate LotusScript method returns unexpected results, security advisory from IBM
- Potential security issue with Domino Certificate Authority (CA) process commands, security advisory from IBM
- Potential vulnerability in Notes/Domino memory mapped files, security advisory from IBM
- IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities, security advisory from Tan Chew Keong on vuln.sg
- Lotus Notes Memory Mapped Files Vulnerability, security advisory from Symantec on the Bugtraq mailing list
- Oracle interMedia prone to multiple SQL-injection vulnerabilities
The vulnerability stems from insufficient sanitizing of user-supplied data.
Successful exploits may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Exploit code can be found here.