Multiple vulnerabilities in IBM Lotus Mobile Connect
1. The weakness is caused due to the Connection Manager not properly deleting the LTPA token for a session after the user logs off via the "Logoff" button, which can be exploited to bypass the authentication.
Successful exploitation requires that the attacker has e.g. access to an unattended client.
2. The Connection Manager does not properly handle failed connection attempts to the HTTP-TCP based Mobile Network Connections (MNC), which can be exploited to e.g. cause an out-of-memory condition, resulting in a crash.
3. An error exists within the reference counter of the Connection Manager when handling repeated logons with the same VPN ID, which can be exploited to desynchronize the reference counter of active sessions, leading to an exhaustion of e.g. all available dynamic IP addresses.