Security Vulnerability - Reflected Cross-site scripting (XSS) vulnerability in GroupWise Document Viewer Agent (DVA)

  • 7018371
  • 07-Dec-2016
  • 07-Dec-2016

Environment

GroupWise 2014 R2 Support Pack 1 Hot Patch 2
GroupWise Document Viewer Agent

Situation

A reflected XSS vulnerability exists in the web console of the GroupWise Document Viewer Agent that may enable a remote attacker to execute javascript in the context of a valid user's browser session by getting the user to click on a specially crafted link. This could lead to session compromise or other browser-based attacks.
 
This vulnerability was discovered and reported by Michael Statman at Emes Consulting (http://www.emesconsulting.net).  Micro Focus bug 986327, CVE-2016-9169

Resolution

To resolve this vulnerability, apply GroupWise 2014 R2 Support Pack 1 Hot Patch 2 (or later).
 
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise server components to GroupWise 2014 R2 Support Pack 1 Hot Patch 2 in order to secure their system.

Status

Security Alert

Bug Number

986327

Feedback service temporarily unavailable. For content questions or problems, please contact Support.