Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Novell GroupWise Vendors:   Novell
GroupWise Windows Client API Bug Lets Remote Authenticated Users Access E-mail
SecurityTracker Alert ID:  1019616
SecurityTracker URL:
CVE Reference:   CVE-2008-1330   (Links to External Site)
Date:  Mar 17 2008
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7 SP3
Description:   A vulnerability was reported in GroupWise. A remote authenticated user can access a target user's e-mail.

A remote authenticated user that is the recipient of a shared folder from a target user can gain access to the target user's e-mail.

Impact:   A remote authenticated user can access a target user's e-mail in certain cases.
Solution:   The vendor has issued a fix.

The Novell advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  CVE-2008-1330 - Security vulnerability in the GroupWise Windows client API

Hash: SHA1

Description:  CVE-2008-1330

A security vulnerability exists in the GroupWise Windows client API that can allow programmatic access to non-authorized email under
 certain conditions.  The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. 
 The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.

Cause: An unspecified error in the Windows client API


Users that have shared folders with other users can protect their email by removing shared access until remedial steps have been completed.
   It is not necessary to delete the contents of the shared folders and they can be re-shared after the administrator has locked out
 older client versions.  
To remove shared access to a folder select the shared folder, click File > Sharing, then select Not shared.


For GroupWise 7 - Customers running GroupWise 7.0 clientsshould immediately upgrade all clients to GroupWise 7 SP3 (dated 09Mar2008)
 and lock out older clients viaConsoleOne.

GroupWise 6.5 Windows - Customers running GroupWise 6.5 Windows clientsshould immediately upgrade all Windows clients to the GroupWise
 6.5SP6 client Update 3(dated 11 Mar 2008), or upgrade to GroupWise 7SP3.  Older clients must be locked out via ConsoleOne.  
GroupWise 6.5 Linux - Customers running GroupWise 6.5 Linux or Mac clients should immediately upgrade to GroupWise 7 SP3 (dated 09
 Mar 2008).  

For GroupWise 6.0 and previous - Customers still running unsupportedGroupWise client versions (5.x and 6) shouldimmediately upgrade
 clients and servers to either GroupWise 6.5 SP6Update 3or to GroupWise 7 SP3.  Older clients must belocked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7environment thenupgrade the BES to a version which supports the
 GroupWise 7 client (BES 4.0 SP 7 or BES 4.1 SP4), and upgrade the GW client installed on the machine to 7.0 SP3 (dated 09 Mar 2008).
If Blackberry Enterprise Server (BES) is installed in a GroupWise 6.5environment thenupgrade the GW client installed on the machine
 to 6.5SP6 Client Update 3(dated 11 Mar 2008).

Special Instructions and Notes:

For instructions on locking out older client versions please refer to GroupWise documentation for your GroupWise version:
GroupWise 7: 

GroupWise 6.5:

If running a mixed environment of 6.5 and 7.0 clients then make sure to lock out based on client release date rather than client version.
  The recommended date should be 08 Mar 2008 in order to ensure the system is not vulnerable.  

Version: GnuPG v1.4.2 (GNU/Linux)



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC