Blog Entry

(View Disclaimer)

Today, Novell announced immediate availability of GroupWise 8.0.2. The latest update to the GroupWise 8 product line that not only adds stability, reliability and quality, but also adds specific features and enhancements!

GroupWise 8.0.2 is now available!

Download here.

This support pack includes a number of new features designed to enhance integration with Novell Teaming and the new Novell Conferencing. Please note that GroupWise 8 SP2 is also required to enable full functionality for Novell Data Synchronizer, also released to Public BETA today!. See related blog.

Security Alert

Finally, this support pack includes fixes that address recent GroupWise security issues. Details about these security fixes are provided below. GroupWise 8 SP2 is available to all GroupWise customers with current maintenance. Please note that these security fixes are also publicly available in a GroupWise 7.0.4 Field-Test File (FTF) that can be accessed here.

Security Issue Details

• The memory stack can overflow when passing a long argument to the NWDSLogout functions in netwin32.dll.
  Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006432
• The gwcma1.dll GroupWise module is vulnerable to a stack overflow exploit.
  Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006431
• The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are susceptible to cross-site scripting (XSS) attacks, which could potentially be used by an attacker to steal sensitive information from application users, including parameters such as session credentials.
  Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006371
• The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are vulnerable to an HTTP Header Injection attack that may be used to redirect users to arbitrary sites, perform HTTP Request Smuggling, and execute other attacks against the user's browser.
  Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006372
• Under certain circumstances, parameters passed to GroupWise WebAccess could potentially expose authentication information in the user's web browser.
  Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006373
• The GroupWise Internet Agent is vulnerable to an exploit whereby an authenticated user could potentially cause a stack overflow, which would allow them to execute arbitrary code.
  Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006374
• GroupWise WebAccess is vulnerable to a Javascript XSS exploit in which viewing a specially formatted message could cause users to be redirected to a malicious website.
  Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006375
• GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit in which replying to a specially formatted message could cause users to be redirected to a malicious website.
  Affected Versions: GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006376
• GroupWise WebAccess is vulnerable to cross-site scripting (XSS) via header injection into certain form parameters, which could potentially be used to redirect users to a malicious website, perform HTTP request smuggling, and execute other attacks against the user's browser.
  Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1
  Related TID: 7006377
• GroupWise WebAccess is vulnerable to a Javascript/HTML injection cross-site scripting (XSS) exploit which could potentially be used to redirect users to a malicious website.
  Affected Versions: GroupWise 8.0, 8.01x
  Related TID: 7006379
• The User Proxy feature of GroupWise WebAccess is vulnerable to a stack overflow exploit whereby an authenticated user could potentially trigger a stack overflow and execute arbitrary code.
  Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
  Related TID 7006380

We recommend that you deploy the 7.0.4 FTF, if you are running 7.0.x code and we recommend you deploy the 8.0.2 code if you are running 8.0. This will ensure your system has all currently available fixes.

As stated in previous blog posts:

“Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.

We do not disclose the exact details of any security defect so that ample time is provided to administrators to update their systems without malicious individuals having all of the knowledge to exploit any affected areas. Even after a patch is provided and sufficient time has been given to update, not every administrator will be able to act immediately. Some may decide not to act at all and simply follow their own update/deployment schedules.

We do stress - All security issues should be taken seriously and patches applied.
Please follow Best Practices guidelines for updating your system when applying this patch.”

GroupWise 6.x customers should upgrade to GroupWise 8.0.2.

Let us know how it goes!

Dean

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.