Security Vulnerability - GroupWise 8 WebAccess Arbitrary File Download Vulnerability

  • 7007156
  • 04-Nov-2010
  • 26-Apr-2012

Environment

Novell GroupWise 8
Novell GroupWise 8 WebAccess Agent
Novell GroupWise 8 Document Viewer Agent
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.

Situation

The GroupWise WebAccess Agent and Document Viewer Agent are vulnerable to an exploit that could potentially allow arbitrary files to be downloaded from the server.  Authentication is not required to exploit this vulnerability.

This vulnerability was discovered by Mehul Revankar, reported through Secunia (http://secunia.com/advisories/40820)

Novell bugs 638644, 638646, CVE number pending

Resolution

To resolve this security issue, update GroupWise WebAccess servers (the Document Viewer Agent is installed as part of the WebAccess setup) to version 8.02 Hot Patch (or later)

Status

Security Alert

Bug Number

638644 638646