GroupWise Windows Client API Bug Lets Remote Authenticated Users Access E-mail
SecurityTracker Alert ID: 1019616|
SecurityTracker URL: http://securitytracker.com/id/1019616
(Links to External Site)
Date: Mar 17 2008
Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 7 SP3|
A vulnerability was reported in GroupWise. A remote authenticated user can access a target user's e-mail.|
A remote authenticated user that is the recipient of a shared folder from a target user can gain access to the target user's e-mail.
A remote authenticated user can access a target user's e-mail in certain cases.|
The vendor has issued a fix.|
The Novell advisory is available at:
Vendor URL: support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5009020.html (Links to External Site)
Access control error|
Source Message Contents
Subject: CVE-2008-1330 - Security vulnerability in the GroupWise Windows client API|
-----BEGIN PGP SIGNED MESSAGE-----
A security vulnerability exists in the GroupWise Windows client API that can allow programmatic access to non-authorized email under
certain conditions. The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user.
The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.
Cause: An unspecified error in the Windows client API
Users that have shared folders with other users can protect their email by removing shared access until remedial steps have been completed.
It is not necessary to delete the contents of the shared folders and they can be re-shared after the administrator has locked out
older client versions.
To remove shared access to a folder select the shared folder, click File > Sharing, then select Not shared.
For GroupWise 7 - Customers running GroupWise 7.0 clientsshould immediately upgrade all clients to GroupWise 7 SP3 (dated 09Mar2008)
and lock out older clients viaConsoleOne.
GroupWise 6.5 Windows - Customers running GroupWise 6.5 Windows clientsshould immediately upgrade all Windows clients to the GroupWise
6.5SP6 client Update 3(dated 11 Mar 2008), or upgrade to GroupWise 7SP3. Older clients must be locked out via ConsoleOne.
GroupWise 6.5 Linux - Customers running GroupWise 6.5 Linux or Mac clients should immediately upgrade to GroupWise 7 SP3 (dated 09
For GroupWise 6.0 and previous - Customers still running unsupportedGroupWise client versions (5.x and 6) shouldimmediately upgrade
clients and servers to either GroupWise 6.5 SP6Update 3or to GroupWise 7 SP3. Older clients must belocked out via ConsoleOne.
If Blackberry Enterprise Server (BES) is installed in a GroupWise 7environment thenupgrade the BES to a version which supports the
GroupWise 7 client (BES 4.0 SP 7 or BES 4.1 SP4), and upgrade the GW client installed on the machine to 7.0 SP3 (dated 09 Mar 2008).
If Blackberry Enterprise Server (BES) is installed in a GroupWise 6.5environment thenupgrade the GW client installed on the machine
to 6.5SP6 Client Update 3(dated 11 Mar 2008).
Special Instructions and Notes:
For instructions on locking out older client versions please refer to GroupWise documentation for your GroupWise version:
GroupWise 7: http://www.novell.com/documentation/gw7/gw7_admin/index.html?page=/documentation/gw7/gw7_admin/data/adqaf1n.html
GroupWise 6.5: http://www.novell.com/documentation/gw65/index.html?page=/documentation/gw65/gw65_admin/data/adqaf1n.html
If running a mixed environment of 6.5 and 7.0 clients then make sure to lock out based on client release date rather than client version.
The recommended date should be 08 Mar 2008 in order to ensure the system is not vulnerable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
-----END PGP SIGNATURE-----