GroupWise Windows Client API Security Vulnerability report

Document ID:3263374
Creation Date:14-Mar-2008
Modified Date:26-Apr-2012
- Micro Focus Products:
  GroupWise

Environment

Novell GroupWise 7

Novell GroupWise 6.5

Situation

A security vulnerability exists in the GroupWise Windows client API that can allow programmatic access to non-authorized email under certain conditions. The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.

See CVE # CVE-2008-1330

Resolution

Workaround:

Users that have shared folders with other users can protect their email by removing shared access until remedial steps have been completed. It is not necessary to delete the contents of the shared folders and they can be re-shared after the administrator has locked out older client versions.

To remove shared access to a folder select the shared folder, click File > Sharing, then select Not shared

Remedy:

For GroupWise 7 - Customers running GroupWise 7.0 clients should immediately upgrade all clients to GroupWise 7 SP3 (dated 09 Mar 2008) and lock out older clients via ConsoleOne.

GroupWise 6.5 Windows- Customers running GroupWise 6.5 Windows clients should immediately upgrade all Windows clients to the GroupWise 6.5 SP6 client Update 3 (dated 11 Mar 2008), or upgrade to GroupWise 7 SP3. Older clients must be locked out via ConsoleOne.

GroupWise 6.5 Linux - Customers running GroupWise 6.5 Linux or Mac clients should immediately upgrade to GroupWise 7 SP3 (dated 09 Mar 2008).

For GroupWise 6.0 and previous - Customers still running unsupported GroupWise client versions (5.x and 6) should immediately upgrade clients and servers to either GroupWise 6.5 SP6 Update 3 or to GroupWise 7 SP3. Older clients must be locked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7 environment then upgrade the BES to a version which supports the GroupWise 7 client (BES 4.0 SP 7 or BES 4.1 SP4), and upgrade the GW client installed on the machine to 7.0 SP3 (dated 09 Mar 2008).

If Blackberry Enterprise Server (BES) is installed in a GroupWise 6.5 environment then upgrade the GW client installed on the machine to 6.5 SP6 Client Update 3 (dated 11 Mar 2008).

Bug Number

339864

Additional Information

Special Instructions and Notes:

For instructions on locking out older client versions please refer to GroupWise documentation for your GroupWise version:

GroupWise 7: https://www.novell.com/documentation/gw7/gw7_admin/index.html?page=/documentation/gw7/gw7_admin/data/adqaf1n.html

GroupWise 6.5: https://www.novell.com/documentation/gw65/index.html?page=/documentation/gw65/gw65_admin/data/adqaf1n.html

If running a mixed environment of 6.5 and 7.0 clients then make sure to lock out based on client release date rather than client version. The recommended date should be 08 Mar 2008 in order to ensure the system is not vulnerable.