DominoSecurity Newsletter
(from
DominoSecurity.org
)
Date:
03/03/2003
Title:
Potentially serious security flaws
Contents:
Hello DominoSecurity readers,
I am in touch with the folks at Rapid7.com, who research Domino/Notes security issues and create products in this area. Rapid7 has informed me that they discovered three new security flaws in R4, R5, and R6 -- one of which is especially serious. Rapid7 says that Lotus is aware of these problems and has fixed the flaws in 5.0.12 and 6.0.1. I have not personally verified these defects, or their fixes, but I am passing this information on to my readers. In my opinion, it is a credible threat. Below is a quote from my email from Rapid7.
"Due to serious security issues discovered by Rapid7, Inc. in all versions of Lotus Notes and Domino from R4 through R5.0.11, including R6 pre-Gold releases, we are encouraging users to upgrade either to R5.0.12 or R6.0.1. In one week's time, Rapid7 will be releasing to the public more details on these vulnerabilities. More details will be available on our website,
www.rapid7.com
. At that time, we will also be releasing automated vulnerability checks for our NeXpose vulnerability scanner. Licensed NeXpose customers will receive these new checks via the auto-update facility."
The reason Rapid7 is not yet releasing full details about the flaws is that they feel this would be a public dis-service. They believe that one of the flaws could be exploited widely because it affects so many versions of Domino/Notes. They don't want to tell hackers how to break into these systems before everyone has a chance to upgrade.
Chuck Connell
www.chc-3.com
www.DominoAdministration.com