Novell Data Synchronizer Mobility Pack Unauthorized user access Security Vulnerability

Document ID:7008690
Creation Date:02-Jun-2011
Modified Date:10-Dec-2013
- Micro Focus Products:
  GroupWise
  GroupWise Mobility Service

Environment

Novell Data Synchronizer Mobility Pack 1.0

Novell Data Synchronizer Mobility Pack 1.1

Situation

Novell Data Synchronizer Mobility Pack 1.1.2, and earlier, has a vulnerability that, in certain circumstances, could allow a user to gain unauthorized access to other user accounts.

Resolution

Please follow the steps listed below:

Make sure that the Mobility Pack Version is 1.1.1 (343) or 1.1.2 (428). Please follow the steps listed below to check the version
- Open a terminal session to the Mobility Server
- Type "cat /opt/novell/datasync/version "
- If the Mobility Pack Version is not 343 or 428, please follow the sub-steps listed below
  - Download and Upgrade to Mobility Pack 1.1.1 or Mobility Pack 1.1.2. Please follow the steps in the following link to apply the update
    https://support.microfocus.com/kb/doc.php?id=7007012&sliceId=1&docTypeID=DT_TID_1_1&dialogID=237416781&stateId=0%200%20237412939
Please download the file from the following link
For 343 - Click here to download the patch for vulnerability
For 428 - Click here to download the patch for vulnerability
Browse to /opt/novell/datasync/syncengine/connectors/mobility/lib/device/ .
Rename DeviceInterface.pyc to DeviceInterface.pyc.bak .
Copy the appropriate DeviceInterface.pyc downloaded in step 2 and paste it in /opt/novell/datasync/syncengine/connectors/mobility/lib/device .
Type "rcdatasync restart " and press Enter.

Status

Security Alert

Additional Information

Notes:

Affected versions:
Novell Data Synchronizer 1.0.x (all builds)
Novell Data Synchronizer 1.1.1 build 428 and earlier

This vulnerability was discovered and reported by iTEC Services (http://www.itec-services.de). CVE-2011-1711