Blog

Security Alert: Sametime servers with LDAP authentication configured


Tags :



IBM has released a public security notice and reference for Sametime servers that utilize LDAP as the authentication source. Much thanks to Integrasys for finding and bringing this to the eyes of IBM.

DESCRIPTION: The Sametime server contains a configuration servlet that is accessed by several Sametime server processes. By default, this servlet does not require authentication, which could potentially allow an unauthorized user to obtain read access to configuration data. Administrators are advised to protect this servlet by configuring Sametime to require authentication to this servlet.


The full remediation and workaround can be found in reference #1569452.  This affects servers from 7.0 forward (and earlier if you have a server that old still).

NOTE: We will be having a podcast or webcast around this to take feedback, answer questions and give more information.