GroupWise 7.0.2 / 6.5 post SP6 Security Vulnerability

  • 3382383
  • 05-Jun-2007
  • 27-Apr-2012

Environment

Novell GroupWise 6.5
Novell GroupWise 7
Novell GroupWise Agents
Novell GroupWise Client
Novell GroupWise Connector for Microsoft Outlook
Novell GroupWise Exchange Migration Utility

Situation

Vulnerability Explanation:
A security vulnerability in the GroupWise system has been discovered that allows a malicious user to intercept authentication credentials through a "man-in-the-middle" mechanism. The following systems are affected:
Servers:
NetWare
Linux
Windows
Clients:
Windows
Linux
Macintosh

Reported as CVE-2007-2513, this vulnerability was discovered by Andreas Schmidt, cirosec GmbH (http://www.cirosec.de).

Resolution

GroupWise 7

Customers should immediately upgrade all GroupWise clients -- including the GroupWise Connector for Microsoft Outlook and all GroupWise agents (MTA, POA, GWIA & WebAccess) -- to GroupWise 7 SP2 software dated May 24, 2007 or newer. Additionally, lock out all GroupWise client software older than May 24, 2007 via ConsoleOne. If using the GroupWise Exchange Migration Utility, this must also be updated.

GroupWise 6.5

Customers running GroupWise 6.5.x should immediately upgrade all GroupWise clients, GroupWise agents (MTA, POA, GWIA & WebAccess) to GroupWise 6.5 post-SP6 dated May 22, 2007 or newer. Additionally, lock out all GroupWise client software older than May 22, 2007 via ConsoleOne.

GroupWise 6.x and previous versions

Previous versions of GroupWise are no longer developed or supported. It is recommended to update to the latest version of GroupWise 6.5.x or 7.x.
Patches:

Note:The agents must be updated prior to applying the client update. Otherwise, the client will report an error as it attempts to connect to the older agent.

For instructions on locking out older client software versions, refer toTracking and Restricting Client Access to the Post Office.

If running in a mixed GroupWise client environment -- for example, if a BlackBerry Enterprise Server (BES) is installed in a GroupWise 7 environment -- make sure to lock out older client software based on client date rather than client version. The recommended BES configuration uses the GroupWise 6.5 client.

Status

Security Alert

Additional Information

KnownIssues:
1) The multi-lingual GroupWise 7SP2 client hot patch had a build issue with some of the language resource files. Therefore, the multi-lingual GroupWise client will display some English. Development is making a new mulit-lingual build that will be available early next week (week of June 4-8, 2007) This does not affect the GroupWise English only client. Our multi-lingual customers may want to wait until this is released before applying the hot patch. This does not affect the GroupWise 6.5 post SP6 hot patch.
2) In WebAccess when selecting a user from the Address Book, the To: field will appear blank. Development is aware of this issue and is working towards a resolution.