Security Bulletin: IBM Sametime log file information disclosure (CVE-2012-3331)

The default permissions for the IBM Sametime database STLOG.NSF allows anonymous / unauthenticated users to access potentially sensitive information.
Vulnerability Type: Information disclosure
The information bellow is from TN 1613895
CVE ID: CVE-2012-3331

DESCRIPTION:

By default, anonymous / unauthenticated users can access the Sametime Log database (STLOG.NSF).

This database provides a variety of potentially sensitive information including canonical usernames, and client IP addresses.

For example, from the page http://1.2.3.4/stlog.nsf, select the link Community Server Login and Logout Events by User.

Steps to Reproduce Vulnerability: http://1.2.3.4/stlog.nsf

Note that access to the server where the Sametime servers are running should be possible only from within the organization. In addition these servers should not be made HTTP accessible to any machine in the organization.