Environment
Novell GroupWise 2014 up to (and including) Support Pack 2
Situation
A vulnerability exists in the Oracle "Outside In" technology used by GroupWise that may allow an attacker to affect the availability of certain GroupWise services.
Resolution
Oracle fixed the vulnerability in the Outside In Viewer technology in their October 2015 critical patch update (see http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html). The GroupWise team regularly incorporates these security updates from Oracle into our regular release cycle, and the updated Oracle viewers are included in the initial release of GroupWise 2014 R2. Customers running GroupWise 2012 and 2014 should update to 2014 R2 to secure their systems.
Customers who are on GroupWise 2014 but unable to update to 2014 R2 and GroupWise 2012 customers who have purchased an extended support agreement can contact Novell Technical Services to request a field test file that contains the security fixes for this vulnerability.
This vulnerability was reported to Novell by Francis Provencher from COSIG
Novell bugs 951478, 951482, 951484
CVE-2015-4877, CVE-2015-4878