Though Oracle delivered its final Critical Patch Update of 2014 weeks ago, tech giant IBM is just getting around to patching several severe Java vulnerabilities that were addressed in the July CPU.
IBM said in a recent security advisory that updates are available for both Notes and Domino version 9.0.1 Fix Pack 2 and version 8.5.3 Fix Pack 5/6. The updates plugged a total of 15 vulnerabilities, with four of the flaws rated as a 9.3 or higher according to the Common Vulnerability Scoring System (CVSS).
CVE-2014-4227, the sole bug rated as a 10.0, was the result of IBM's implementation of a vulnerable version of the Java Virtual Machine (VM)that, if successfully exploited, could allow an attacker to run untrusted code and gain elevated user privileges. According to Oracle's July 2014 CPU, CVE-2014-4227 can be exploited remotely without any form of authentication.
CVE-2014-3086 is also a vulnerability in IBM's Java VM implementation, though it was only deemed a 9.3 on the CVSS scale because it's slightly more difficult to exploit. CVE-2014-4262 and CVE2014-4219, each rated as 9.3, were unspecified Java vulnerabilities in the Libraries and Hotspot components respectively, according to the IBM advisory, and could be used remotely by attackers to impact the confidentiality, integrity and availability of the IBM platforms.
Beyond applying the available patches, IBM also advised administrators to implement additional measures in order to avoid Java security problems.
"Administrators can help to protect their Domino servers against unauthorized access by strictly limiting the use of Java functions on the server through careful population of the Programmability Restrictions section on the Security tab of the Server document," said IBM in its advisory. "In particular, IBM recommends prohibiting server access of unsigned Java."