Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   IBM iNotes and Domino Vendors:   IBM
IBM Lotus Notes Mail Client Lets Remote Users Execute Java Applets
SecurityTracker Alert ID:  1028504
SecurityTracker URL:
CVE Reference:   CVE-2013-0127   (Links to External Site)
Date:  May 2 2013
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3, 9.0
Description:   A vulnerability was reported in IBM Lotus Notes. A remote user can cause Java applets to be executed on the target user's system.

The mail client does not filter 'applet' and 'javascript' tags in HTML-based email messages. A remote user can send a specially crafted email message that, when loaded by the target user, will execute arbitrary Java code on the target system. The code will run with the privileges of the target user.

IBM has assigned SPRs JMOY95BLM6 and JMOY95BN49 to this vulnerability.

The vendor was notified on February 22, 2013.

Alexander Klink, n.runs AG, reported this vulnerability.

Impact:   A remote user can send an email that, when loaded by the target user, will execute arbitrary Java code on the target user's system.
Solution:   The vendor plans to issue a fix as part of Interim Fix 1 for 8.5.3 Fix Pack 4 and 9.0 Interim Fix 1.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (macOS/OS X), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] n.runs-SA-2013.005 - IBM Lotus Notes - arbitrary code execution

n.runs AG                              security(at)
n.runs-SA-2013.005                                           30-APR-2013
Vendors:            IBM,
Product:            Lotus Notes 8.5.3
Vulnerability:      arbitrary code execution
Tracking IDs:       CVE-2013-0127, CERT VU#912420
Vendor communication:
2013-02-22: Reported to IBM PSIRT via email
2013-02-25: IBM PSIRT acknowledges the receipt, vulnerability
            details have been forwarded to Notes developers
2013-03-18: Informed CERT of planned advisory date of 2013-04-15
            and asked them to help with coordinated disclosure
2013-03-19: CERT informs IBM as VU#912420
2013-03-25: IBM requests holding off on disclosing the issue
            until a fix is released, which will occur before
            April 30th, 2013.
2013-03-26: n.runs agrees to delay the disclosure
2013-04-30: Coordinated disclosure with CERT and IBM PSIRT

The Lotus Notes mail client accepts <applet> tags inside HTML emails, making
it possible to load Java applets from a remote location.
Combined with known Java sandbox escape vulnerabilities, it can be used to
fully compromise the user reading the email.


Notes 8.5.3 does not filter <applet> tags inside HTML emails.
This can be used to load arbitrary Java applets from remote sources (making
it an information disclosure as well as it can be used to trigger an HTTP
request once the mail is previewed/opened).

Notes 8.5.3 FP3 ships with IBM Java 6 SR12 (since November 2012), older
versions may ship with older Java releases.

IBM's Java Security alerts page at 
shows several vulnerabilities with a CVSS score of 10 which have only been
fixed in IBM Java 6 SR13.

This would allow attackers to compromise users reading/previewing an email.


Arbitrary code execution as the user is reading the email.


Send an email to to get an automatic email
back which checks whether Java applets and LiveConnect are enabled. The Java
applet used for testing will not deliver any exploit code but just checks
whether Java applets are loaded correctly.


Execution of Java applets is blocked for emails from the internet in Notes
8.5.3 FP4 Interim Fix 1 and Notes 9.0 Interim Fix 1.
See also 


Turn off the execution of Java applets using the EnableJavaApplets=0
directive in notes.ini. It is also recommended to turn off LiveConnect with
EnableLiveConnect=0 as this provides another way to execute Java code even
if EnableJavaApplets is set to zero.

Alternatively, the File -> Preferences -> Basic Notes
Client Preferences GUI can be used to uncheck the Enable Java applets" and
the "Enable Java access from JavaScript" options.

As Java applets are still executed for internal emails, it is strongly
recommended to turn off this feature regardless of the implementation of the
above-mentioned fix.
Alexander Klink, n.runs AG
This advisory and upcoming advisories:

About n.runs:
n.runs AG is a vendor-independent consulting company specialising in the
areas of: IT Infrastructure, IT Security and IT Business Consulting.

Copyright Notice:
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of such
Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC