Novell Kanaka for Mac 2.7 trusts any SSL certificate during installation.

  • 7011965
  • 15-Mar-2013
  • 22-Apr-2013


Novell Kanaka for Mac


During the installation of Novell Kanaka for Mac 2.7, the product will trust any SSL certificate.  This creates a security threat that could give an attacker a opportunity to steal credentials.  While we feel that the threat is minimal since it is only an issue during the installation process, and access to the server during that time would be required, we do take this seriously and have made an update available which addresses this issue.


Novell Kanaka for Macintosh is an add-on component for the Open Enterprise Server product.  Customers who have a current maintenance contract for OES are eligible to obtain the Kanaka product and licenses at no charge. 

The previously released version is 2.7.1.  The product team has created version 2.8. Version 2.8 is functionally equivalent to 2.7.1 with one change.  2.8 addresses a security vulnerability that can be exploited during the product installation. Once the system has been installed the vulnerability is no longer present.  Therefore previous installed 2.7.1 systems do not need the update in order to be secure, unless of course they re-install the software.

Both versions, 2.7.1 and 2.8 will be available on the customer portal for customers who own OES and have a current maintenance agreement.


A problem during the install process allows a would be attacker an opportunity, during the installation, to compromise credentials.

Additional Information

Credit for discovering and reporting this vulnerability is attributed to;