IBM Notes/Domino Security Bulletin: Vulnerabilities in the IBM Java SDK

Fresh from the press: new downloads available for IBM Notes and IBM Domino to fix the Java issues disclosed in the Oracle January 2015 Critical Patch Update.

This Java vulnerabilities affect all current versions of IBM Notes and Domino and if you don’t control some of the Java behaviour on the server or client via restrictions or ECL you should get these Java patches.

Direct links to patches for 9.0.1 FP3:
Windows
JVMPatch_SR16FP3_W32_901.3_ClientServer
JVMPatch_SR16FP3_W64_901.3_Server

Linux
JVMPatch_SR16FP3_Linux64_901.3_Server
JVMPatch_SR16FP3_Linux_901.3_ClientServer

Get more information and direct download links to all the patches here.

12 thoughts on “IBM Notes/Domino Security Bulletin: Vulnerabilities in the IBM Java SDK

Add yours

  1. Above fix broke my Traveler server:

    08/03/2015 08:07:49 AM Notes Traveler: SEVERE *system IBM Notes Traveler server could not be started. The exc
    eption was java.lang.NoClassDefFoundError: com/ibm/jsse2/aH (wrong name: com/ibm/jsse2/ah). Exception Thrown: j
    va.lang.NoClassDefFoundError: com/ibm/jsse2/aH (wrong name: com/ibm/jsse2/ah)

    1. I have heard from others that Traveler runs without issues after applying the fix. Does Traveler work again when you remove the fix?
      I’d open a PMR..

        1. I had the same experience: I applied the patch, got the same error, removed the patch and Traveler is running again. I put in a service request with IBM, but no solution yet.

  2. They are not patches for FP3, but patches which will upgrade you to FP3. You make it sound as if the vulns are in FP3, while they are actually FIXED in FP3.

    Also: There is already an FP3IF1, which fixes some booboo’s in the JVM, which some calls LS2J were also hindered by. I find it all too plausible that IF1 might fix the Traveler issue too.
    Worth a try…

    1. I read it as a fix for these versions because the “Affected Products and Versions” is listing them:
      IBM Notes and Domino 9.0.1 Fix Pack 3 (plus Interim Fixes) and earlier
      IBM Notes and Domino 8.5.3 Fix Pack 6 (plus Interim Fixes) and earlier
      IBM Notes and Domino 8.5.3 Fix Pack 5 (plus Interim Fixes) and earlier
      All 9.0 and 8.5.x releases of IBM Notes and Domino prior to those listed above.

      and also because of the description for the fix:
      The fix is available for multiple platforms as a single standalone Java patch that covers Notes and Domino version 9.0.1 Fix Pack 3 (plus Interim Fixes).

  3. aha, I see i misread. My local test server is now also suffering from the exception: java.lang.NoClassDefFoundError: com/ibm/jsse2/aH (wrong name: com/ibm/jsse2/ah)

  4. Anyone have a fix for this? I can’t run my Domino v9.01fp3 HF239 now at all. I am going to have to downgrade to fp2 HF391 because of this error, so I will miss out on TLS 1.2

    1. Jim, please check Daniel Nashed’s Blog post and maybe the Wiki article as well. There have been different issues and I know several PMR’s about this topic.
      Daniel also mentioned during his session at ics.ug that at a customer site he had to revert back to 9.0.1 and reinstall all the appropriate fixes to get the server running.

      Daniel’s Blog
      http://blog.nashcom.de/nashcomblog.nsf/dx/domino-9.0.1-fp3-if3-is-about-to-ship.htm?opendocument&comments#anc1

      IBM Wiki
      http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2

Leave a Reply

Your email address will not be published. Required fields are marked *

ten − nine =

© Andreas Ponte 2011-2024 | Theme: Baskerville 2 by Anders Noren.

Up ↑