Security Vulnerability: GroupWise Vulnerability in eDirectory Authentication Mechanism

  • 7010773
  • 11-Sep-2012
  • 21-Sep-2012

Environment

GroupWise 8 up to and including GroupWise 8.02 HP3
GroupWise 2012

Situation

A vulnerability exists in the eDirectory authentication mechanism of GroupWise 8 and GroupWise 2012 that could potentially allow unauthorized access to GroupWise accounts.  GroupWise post offices are vulnerable to this exploit only if ALL of the following conditions are met:

The post office security level is set to "High"
AND
The administrator has enabled eDirectory Authentication under the "High Security Options" settings of the post office.
AND
The administrator has the enabled the "Use eDirectory authentication instead of password" option in ConsoleOne under GroupWise Utilities | Client Options | Security

Resolution

To resolve the vulnerability, administrators must do both of the following:
1) Update both your GroupWise Post Office Agents (POA) and GroupWise client software to GroupWise 8.0 Support Pack 3 or GroupWise 2012 Support Pack 1
2) Prevent older clients from logging in by setting the "Minimum Client Release Date" option for each post office in ConsoleOne | <right-click on the Post Office> | Properties | Client Access Settings | Lock out Older GroupWise Clients and specifying a minimum client date of June 15, 2012 (or later).

If you are not able to immediately update your POA and client software and lockout older clients, you can secure your system by temporarily un-checking and locking the "Use eDirectory authentication instead of password" option in ConsoleOne under GroupWise Utilities | Client Options | Security (which will force users to authenticate with a GroupWise password).

For information on configuring the password settings for your GroupWise 8 post office, see the GroupWise 8 documentation at:
https://www.novell.com/documentation/gw8/gw8_admin/data/akd26fq.html

For information on configuring the password settings for your GroupWise 2012 post office, see the GroupWise 2012 documentation at: https://www.novell.com/documentation/groupwise2012/gw2012_guide_admin/?page=/documentation/groupwise2012/gw2012_guide_admin/data/a7q4wsn.html

Novell bug 765364

Status

Security Alert