Security Vulnerability (HTTP Header Injection) in GroupWise Agent HTTP Interfaces

  • 7006372
  • 30-Jun-2010
  • 27-Apr-2012

Environment

Novell GroupWise 7
Novell GroupWise 8
Novell GroupWise Message Transfer Agent
Novell GroupWise Post Office Agent
Novell GroupWise Internet Agent
Novell GroupWise WebAccess Agent
Novell GroupWise Monitor Agent

Situation

The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are vulnerable to an HTTP Header Injection attack that may be used to redirect users to arbitrary sites, perform HTTP request smuggling, and other attacks against the user's browser.

Affected versions:
GroupWise 7.0, 7.01, 7.02, 7.03x
GroupWise 8.0, 8.01x

This vulnerability was discovered and reported by Kevin Lynn of The George Washington University (http://www.gwu.edu/)

Novell bugs 576304, 576316, CVE-2010-2775

Resolution

To resolve this issue:
For GroupWise 7.x systems, apply GroupWise 7 Support Pack 4 (SP4)
For GroupWise 8.x systems, apply GroupWise 8.0 Support Pack 2 (SP2) or later

Status

Security Alert