Environment
GroupWise 8 up to and including GroupWise 8.02 HP3
GroupWise 2012
GroupWise 2012
Situation
A vulnerability exists in the eDirectory authentication mechanism of GroupWise 8 and GroupWise 2012 that could potentially allow unauthorized access to GroupWise accounts. GroupWise post offices are vulnerable to this exploit only if ALL of the following conditions are met:
The post office security level is set to "High"
AND
The administrator has enabled eDirectory Authentication under the "High Security Options" settings of the post office.
AND
The administrator has the enabled the "Use eDirectory authentication instead of password" option in ConsoleOne under GroupWise Utilities | Client Options | Security
The post office security level is set to "High"
AND
The administrator has enabled eDirectory Authentication under the "High Security Options" settings of the post office.
AND
The administrator has the enabled the "Use eDirectory authentication instead of password" option in ConsoleOne under GroupWise Utilities | Client Options | Security
Resolution
To resolve the vulnerability, administrators must do both of the following:
1) Update both your GroupWise Post Office Agents (POA) and GroupWise client software to GroupWise 8.0 Support Pack 3 or GroupWise 2012 Support Pack 1
2) Prevent older clients from logging in by setting the "Minimum Client Release Date" option for each post office in ConsoleOne | <right-click on the Post Office> | Properties | Client Access Settings | Lock out Older GroupWise Clients and specifying a minimum client date of June 15, 2012 (or later).
If you are not able to immediately update your POA and client software and lockout older clients, you can secure your system by temporarily un-checking and locking the "Use eDirectory authentication instead of password" option in ConsoleOne under GroupWise Utilities | Client Options | Security (which will force users to authenticate with a GroupWise password).
For information on configuring the password settings for your GroupWise 8 post office, see the GroupWise 8 documentation at:
https://www.novell.com/documentation/gw8/gw8_admin/data/akd26fq.html
For information on configuring the password settings for your GroupWise 2012 post office, see the GroupWise 2012 documentation at: https://www.novell.com/documentation/groupwise2012/gw2012_guide_admin/?page=/documentation/groupwise2012/gw2012_guide_admin/data/a7q4wsn.html
Novell bug 765364
1) Update both your GroupWise Post Office Agents (POA) and GroupWise client software to GroupWise 8.0 Support Pack 3 or GroupWise 2012 Support Pack 1
2) Prevent older clients from logging in by setting the "Minimum Client Release Date" option for each post office in ConsoleOne | <right-click on the Post Office> | Properties | Client Access Settings | Lock out Older GroupWise Clients and specifying a minimum client date of June 15, 2012 (or later).
If you are not able to immediately update your POA and client software and lockout older clients, you can secure your system by temporarily un-checking and locking the "Use eDirectory authentication instead of password" option in ConsoleOne under GroupWise Utilities | Client Options | Security (which will force users to authenticate with a GroupWise password).
For information on configuring the password settings for your GroupWise 8 post office, see the GroupWise 8 documentation at:
https://www.novell.com/documentation/gw8/gw8_admin/data/akd26fq.html
For information on configuring the password settings for your GroupWise 2012 post office, see the GroupWise 2012 documentation at: https://www.novell.com/documentation/groupwise2012/gw2012_guide_admin/?page=/documentation/groupwise2012/gw2012_guide_admin/data/a7q4wsn.html
Novell bug 765364