Notes Vulnerability - Remote Code Execution

hcl-bot · November 13, 2007, 8:06pm

Technote 1271957 (http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21271957) details a vulnerability for Lotus Notes clients (6.5, 7.0, 8.0) that could result in remote code execution.

Lotus Tech Support has told me they are not supplying a hotfix for 6.5.x Notes clients.

Their recommendation is to upgrade Notes to 7.0.3.

To upgrade Notes from 6.5.x to 7.0.3 for a single vulnerability is fairly sizeable project.

How concerned are people about this vulnerability?

Are people upgrading from 6.5.x to 7.0.3 as Lotus suggests?

hcl-bot · November 14, 2007, 4:51am

Subject: Notes Vulnerability - Remote Code Execution

Hi

the problem seems to be when converting the message from SMTP to Notes format. This usually is done on the server side, not on the client side. So at least for our complany, we dont care about the Notes Client. Of course we 're upgrading servers to 7.0.3

hcl-bot · November 15, 2007, 4:41am

Subject: RE: Notes Vulnerability - Remote Code Execution

If the conversion is done on the server or on the client depends on how the system is configured. If the setting in the person doc says Keep in senders format, then the conversion is done on the client, so it is vulnerable and you should definately upgrade to 7.0.3.

/Peter