GroupWise Client API Security Vulnerability

  • 3001480
  • 19-Jul-2006
  • 27-Apr-2012

Environment

Novell GroupWise 5.x
Novell GroupWise 6.0
Novell GroupWise 6.5
Novell GroupWise 7
Novell GroupWise 32-bit Client

Situation

Vulnerability Explanation:

A security vulnerability in the GroupWise Windows Client API that can allow random programmatic access to non-authorized email within the same authenticated post office.

Resolution

GroupWise 7
Customers running GroupWise 7.0 Windows Clients should immediately upgrade all Windows client to GroupWise 7 SP1 and lock out older Windows clients via ConsoleOne.

GroupWise 6.5
Customers running GroupWise 6.5.x Windows Clients should immediately upgrade all Windows clients to the GroupWise 6.5 Post SP6 Update 1 version, or upgrade to GroupWise 7 SP1.  Older Windows clients must be locked out via ConsoleOne.

GroupWise 6.0 and previous
Customers still running unsupported GroupWise versions (5.x and 6) of the Windows Clients should immediately upgrade to either GroupWise 6.5 Post SP6 Update 1 or to GroupWise 7 SP1.  Older Windows clients must be locked out via ConsoleOne.

For instructions on locking out older client versions refer toTracking and Restricting Client Access to the Post Office
If running in a mixed client environment, for example a Blackberry Enterprise Server (BES) is installed in a GroupWise 7 environment, then make sure to lock out based on client date rather than client version, as the recommended BES configuration is still to use the GroupWise 6.5 client.  The suggested date entered is June 13 2006.

Additionally, though not vulnerable, in order to lock out the Windows clients it will also be neccessary to update any Linux or Mac clients to a date newer than June 13 2006.  These client versions are all available at the links below

GroupWise 7 patches are availablehere
GroupWise 6.5 patches are availablehere.
Ensure that the latest client version available is installed.  Any client newer than June 13 2006 will include the fix for any GroupWise version.

Status

Reported to Engineering
Security Alert