122 Security Reasons to Upgrade – And More to Come!

In today's digital landscape, where technology evolves at lightspeed, software updates have become a cornerstone of ensuring the efficiency, functionality and security of any digital product.

While it might be tempting to stick with older versions of software due to familiarity or perceived stability, the risks of doing so far outweigh the benefits. In an interconnected world nothing – absolutely nothing – will be safe and secure forever.

That is why HCLSoftware has released 122 new security updates since Domino v11 that address known vulnerabilities and enhance the overall security of your Domino environment.

Every day new vulnerabilities are detected, 29,065 new ones alone in 2023, even in products that are considered rock-solid. Some are found years after the software was published.

At HCLSoftware, we are managing security improvements for currently supported versions of the Domino family by focusing on three pillars:

Common Vulnerabilities and Exposures (CVE’s)

• Please see below review of the Log4Shell vulnerability as an example of this type of vulnerability.

Maintaining Currency on Inherited Third-Party Components Such as Java

• Many of those dependencies are no longer supportable for v9 and v10 as we have highlighted here. For instance, GSKit is a library used for encryption in internet protocols such as TLS/SSL in HTTP, SMTP, IMAP, POP, etc.

Improvements and Best Practices

• Such as adding industry trends that make our product more secure, e.g. Passkeys, OIDC authentication, etc.

In this blog post, we'll delve into why upgrading your software is not just important, but crucial, with a particular emphasis on the significant security risks associated with staying on old or unsupported versions.

1. Risk of Security Vulnerabilities and Exploits

One of the most compelling reasons to upgrade your software is to protect against vulnerabilities and exploits. As software evolves, developers discover and patch security flaws that could potentially be exploited by malicious actors.

However, older versions - especially those where the vendor does not provide updates any longer - often lack crucial security patches, leaving them susceptible to cyberattacks. Hackers actively target outdated software precisely because they know it's more likely to have unaddressed vulnerabilities, making it low-hanging fruit for exploitation.

Well-known examples are the Log4Shell vulnerability (CVE-2021-44228), which affected the Apache Log4j logging library. This critical vulnerability allowed attackers to execute arbitrary code remotely, potentially compromising millions of systems worldwide. Prompted upgrades to the latest patched versions of affected software were essential to mitigate the risk of exploitation.

A common misconception is that these kinds of vulnerabilities and exploits can be prevented by using web application firewalls (WAF) – while WAF’s provide some value in day-to-day operations, they are not fixing the root cause of the problem – instead they increase cost and complexity and will not protect against advanced threats.

2. End of Life and Unsupported Versions

We regularly release new versions of our products to enhance features, improve performance, and address security concerns. However, as new versions are introduced, older versions eventually reach their end of support (EOS) and are no longer supported, as announced for IBM Domino v9 and v10. This means that critical security updates and patches cease, leaving users with software that becomes increasingly vulnerable over time. Continuing to use unsupported versions puts your entire system at risk, as there is no safety net of ongoing support and maintenance from the developer.

We all remember the WannaCry ransomware attack of 2017, which was a consequence of using unsupported software which exploited a vulnerability in outdated versions of the Windows operating system. Organizations that had failed to install the necessary security updates, which were available at the time, fell victim to widespread encryption of their data and ransom demands.

Remember Poodle or Heartbleed? Both were vulnerabilities in the core SSL/TLS stack also affecting IBM Domino. If a similar problem would appear, an unsupported version of Domino would not receive a fix and systems would stay vulnerable which eventually would lead to data breaches and loss of confidential information.

The German Federal Office for Information security (BSI) issued an urgent alert about the poor state of Microsoft Exchange Server patching. You should be concerned about your business if you still run on those outdated versions.

3. Compliance and Regulatory Requirements

In many industries, compliance with regulatory standards and data protection laws is not optional - it's mandatory. And there are plenty of them, from data protection, privacy, antitrust, cybersecurity, import- and export regulations, taxation, records retention rules and more that apply to certain countries, geographies or industries.

Using outdated software that lacks the latest security features and patches can lead to compliance violations, potentially resulting in hefty fines and reputational damage. Upgrading software ensures that you stay in line with industry regulations and standards, safeguarding your business from legal consequences and maintaining customer trust.

For example, the European Union's General Data Protection Regulation (GDPR) requires organizations to implement appropriate security measures to protect personal data. Specifically, GDPR Chapter 2, article 5f defines:

(…) data shall be (…) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

Which means that failure to upgrade software to mitigate known security vulnerabilities could lead to non-compliance and severe penalties.

4. Data Breaches and Loss of Confidential Information

The consequences of a successful cyberattack can be devastating, ranging from data breaches to the loss of sensitive information. Outdated software is a key target for cybercriminals looking to steal valuable data or gain unauthorized access to systems. It just takes a single-entry point to exploit an entire enterprise as many businesses unfortunately saw last year. Unfortunately, it’s always the weakest link that counts.

By upgrading to the latest version, you're not only mitigating the risk of data breaches but also proactively protecting your organization's sensitive information and reputation.

According to eWeek, 80% of the companies that had either a data breach or a failed audit could have prevented the issue by keeping up to date with patches and/or configuration.

A very well-known example in the US is the Equifax incident of 2017, where hackers exploited a vulnerability in Apache Struts, a web application framework, to gain access to sensitive personal information of millions of individuals. Upgrading to a patched version of that framework could have prevented this costly breach.

A very recent case is a severe backdoor in the XZ library which potentially would have affected the whole internet. Fortunately, it was discovered and fixed quickly, but it did affect some Linux distros. Not immediately updating would effectively leave a backdoor widely open. Do we need to say more to underline the importance of staying vigilant against security threats?

5. Improved Performance and more Functionality

Beyond all the security concerns outlined above, updates also provide performance enhancements and new features that can boost productivity and streamline workflows.

For example, HCL Domino v14 provides 86 new features and is built with the latest compilers to leverage CPU efficiency improvements of modern server hardware. By staying up to date, you're not only reducing security risks but also ensuring that you have access to the tools and capabilities you need to stay competitive in today's fast-paced business environment.

If the above key statements are not enough, let’s talk about some common misconceptions we came across that could cost your organization greatly:

1. Assuming safety by using Web Application firewalls.
   While Web Application firewalls (WAF) and firewalls overall provide some value in daily service and operations, they do have drawbacks such as false positives/false negatives, impacting the service quality and performance. WAFs also add an additional cost and are highly dependent on receiving (pattern) updates themselves. So instead of fixing the root cause of the problem, introducing WAFs will increase cost and complexity but will not protect against advanced threads.


2. Assuming upgrades are time consuming and expensive.
   While it might be a significant cost issue for competitors, upgrading HCL Domino usually is a piece of cake as upgrades of servers are typically done “in place” and just take a few minutes to complete. Same for clients where Notes Client AUT or Panagenda MarvelClient Upgrade are the tools for success.


3. Assuming the latest version will deprecate older functionality.
   With over 30 years in the market, HCL Domino has shown a track record of investment protection. Over all those years backward compatibility has always been a priority and so only a small number of features ever had to be deprecated or discontinued, e.g. the rarely used NSFDB2 feature that was introduced more than a decade ago. If this is ever done, it will be communicated well in advance so it’s never going to be a surprise for customers.

In conclusion, the importance of upgrading your software cannot be overstated, especially when it comes to safeguarding against security risks. By staying current with the latest versions and security patches, you're fortifying your defenses against cyber threats, ensuring compliance with regulatory requirements, and future-proofing your business against potential vulnerabilities.

Investing in software upgrades isn't just about staying technologically relevant—it's about protecting your most valuable assets and securing the future of your organization.

Embrace Living in the ‘Now’ and Stop Living in the Past – Go Upgrade!

• Automate your updates using HCL BigFix and/or use the new AutoUpdate feature in V14 to keep your HCL Domino servers and clients up to date. Also, you can skip upgrading your Notes client if you move to HCL Nomad web client with a CCB License. Check out our latest webinar to learn more
• Leverage HCLSoftware’s White Glove Service and check out the Domino Upgrade Webpage
• Stay connected with the community – learn what others did, ask your questions and share your knowledge by joining OpenNTF webinars & discord channels, product specific discussion forums and conferences such as Engage.ug or Collabsphere

References:

• CVE-2021-44228 (Log4Shell)
• WannaCry ransomware attack https://en.wikipedia.org/wiki/WannaCry
• General Data Protection Regulation (GDPR)
• GDPR Chapter 2, Article 5 https://gdpr-info.eu/art-5-gdpr/
• HCL Software Support Lifecycle https://www.hcl-software.com/resources/product-release/search
• Biggest Cybersecurity Incidents 2023 https://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-and-cyberattack-stories-of-2023/
• Department of Homeland Security (DHS): Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 https://www.dhs.gov/news/2024/04/02/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer
• Critical Vulnerability in XZ Utils https://www.cert.europa.eu/publications/security-advisories/2024-032/
• The Register – These 17.000 unpatched Microsoft Exchange Servers