RSS
 

Deployed or upgraded to Lotus Connections 3.0? Read this

16 Feb
We have issued a flash for a serious security issue.  We want to ensure that all customers using Connections 3.0 apply this patch - certainly if they are in production, but also if they have pilots where a breach in the security of the logon would be an issue. 

 

https://www-304.ibm.com/support/docview.wss?mynp=OCSSYGQH&mync=E&uid=swg21462435&myns=swglotus 




The issue was found internally by our team.  There are no public disclosures of the vulnerability at this time, and no evidence that anyone has found or exploited the issue yet.  We won't be sharing any information on the nature of the issue, in order to minimize the risk of a public disclosure. 



It is a WAS issue, specific to WAS 7.0.0.x, and the WAS patch completely protects against the issue. 

Whether the customer has seen an issue or not, they are exposed. 

Our own evaluation of the threat level of this specific exposure dictated that the patch be applied immediately to Greenhouse for example. 



We have also created Connections ifixes to make us less exposed to WAS bugs in this area in the future..  They aren't mandatory, just additional defensive code.
Time to get patched - you have been warned.

 
 

Tags: