News

Sunday, March 16, 2008

CVE-2008-1330 - Security vulnerability in the GroupWise Windows client API

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description: CVE-2008-1330

A security vulnerability exists in the GroupWise Windows client API that can allow programmatic access to non-authorized email under certain conditions. The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.

Cause: An unspecified error in the Windows client API

Workaround:

Users that have shared folders with other users can protect their email by removing shared access until remedial steps have been completed. It is not necessary to delete the contents of the shared folders and they can be re-shared after the administrator has locked out older client versions.

To remove shared access to a folder select the shared folder, click File > Sharing, then select Not shared.


Remedy:

For GroupWise 7 - Customers running GroupWise 7.0 clientsshould immediately upgrade all clients to GroupWise 7 SP3 (dated 09Mar2008) and lock out older clients viaConsoleOne.

GroupWise 6.5 Windows - Customers running GroupWise 6.5 Windows clientsshould immediately upgrade all Windows clients to the GroupWise 6.5SP6 client Update 3(dated 11 Mar 2008), or upgrade to GroupWise 7SP3. Older clients must be locked out via ConsoleOne.

GroupWise 6.5 Linux - Customers running GroupWise 6.5 Linux or Mac clients should immediately upgrade to GroupWise 7 SP3 (dated 09 Mar 2008).

For GroupWise 6.0 and previous - Customers still running unsupportedGroupWise client versions (5.x and 6) shouldimmediately upgrade clients and servers to either GroupWise 6.5 SP6Update 3or to GroupWise 7 SP3. Older clients must belocked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7environment thenupgrade the BES to a version which supports the GroupWise 7 client (BES 4.0 SP 7 or BES 4.1 SP4), and upgrade the GW client installed on the machine to 7.0 SP3 (dated 09 Mar 2008).

If Blackberry Enterprise Server (BES) is installed in a GroupWise 6.5environment thenupgrade the GW client installed on the machine to 6.5SP6 Client Update 3(dated 11 Mar 2008).

Special Instructions and Notes:

For instructions on locking out older client versions please refer to GroupWise documentation for your GroupWise version:
GroupWise 7:

http://www.novell.com/documentation/gw7/gw7_admin/index.html?page=/documentation/gw7/gw7_admin/data/adqaf1n.html


GroupWise 6.5:

http://www.novell.com/documentation/gw65/index.html?page=/documentation/gw65/gw65_admin/data/adqaf1n.html

If running a mixed environment of 6.5 and 7.0 clients then make sure to lock out based on client release date rather than client version. The recommended date should be 08 Mar 2008 in order to ensure the system is not vulnerable.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQIVAwUBR92BEy6BSUNq5uyYAQJ8Sg/9FD/CDWXSrXR03YNehspNeC+FJ7y7J+xB
KNoKlSr3qSLIhkdOuzeKmmDxki/7XA5i41rfkR2vfqCinGefsTIPRlsZLoSmA97q
+KleTFP91xhtXrcDlP8OdBY93xXgi0bXCRhiUoxZY5Upc79LB/2zaQkdIEAZC1gW
pn9kwAlrsO+E2wfaKwdVuVgVirNeDPVtmetcB3sBPIAhjcIguPhimnQeDujeauXd
mbSztkY3hnP2X1YSYzef6VnwufsnaS0F9JHyp/BcDK/5qtlhPjOHfZWrqok7+ame
AHtCCIgMeOtlRfTuVoGmUWGb826/SHUFXoJ6Wv/CaEJYUyrQMgYiYWb55uOYtMET
hYXwJhVEQ2sGjgbrjoqAXKxxwGb0d1SbSGi/p75EgaRyCN8mPjYS/8MF5xijsX4z
qqjrutYtjqW31eZXLQJRSliIktlreZ7MsEfKJMNzTKOHhMsWKCLi91g6/QGRL8Sa
oX/9ovR43zNGLB1zfPUTQS5tyZkyPY0Jzql0GgvvcHxkxMT90UuvL7NqiIeCNDyi
8A+g1P5nkB2XhrUO3SGbmwA9M3Q7bVGzGz0WYHvSse9a6zx1pwRDOviP7Wf5pwmw
9cZy6K2NIj6M7vcqkpkXc25Gl6VazyLvO0zvImvkvRBDUCSRD8AZSPMKspGF0h7Z
NyLWESSPAmM=
=AtEB
-----END PGP SIGNATURE-----

---
You are currently subscribed to security-alerts as: [boy.blogger@gmail.com]
To unsubscribe, forward this message to leave-4133869-50512643.6b528295c430893294993f7b70570cbb@list.novell.com

No comments:

Blog Archive