Environment
GroupWise 2014 R2 Support Pack 1 Hot Patch 2
GroupWise Document Viewer Agent
Situation
A reflected XSS vulnerability exists in the web console of the GroupWise Document Viewer Agent that may enable a remote attacker to execute javascript in the context of a valid user's browser session by getting the user to click on a specially crafted link. This could lead to session compromise or other browser-based attacks.
This vulnerability was discovered and reported by Michael Statman at Emes Consulting (http://www.emesconsulting.net). Micro Focus bug 986327, CVE-2016-9169
This vulnerability was discovered and reported by Michael Statman at Emes Consulting (http://www.emesconsulting.net). Micro Focus bug 986327, CVE-2016-9169
Resolution
To resolve this vulnerability, apply GroupWise 2014 R2 Support Pack 1 Hot Patch 2 (or later).
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise server components to GroupWise 2014 R2 Support Pack 1 Hot Patch 2 in order to secure their system.
Status
Security AlertBug Number
986327