Novell GroupWise 6.5
Novell GroupWise 7
Novell GroupWise Agents
Novell GroupWise Client
Novell GroupWise Connector for Microsoft Outlook
Novell GroupWise Exchange Migration Utility
A security vulnerability in the GroupWise system has been discovered that allows a malicious user to intercept authentication credentials through a "man-in-the-middle" mechanism. The following systems are affected:
Reported as CVE-2007-2513, this vulnerability was discovered by Andreas Schmidt, cirosec GmbH (http://www.cirosec.de).
Customers should immediately upgrade all GroupWise clients -- including the GroupWise Connector for Microsoft Outlook and all GroupWise agents (MTA, POA, GWIA & WebAccess) -- to GroupWise 7 SP2 software dated May 24, 2007 or newer. Additionally, lock out all GroupWise client software older than May 24, 2007 via ConsoleOne. If using the GroupWise Exchange Migration Utility, this must also be updated.
Customers running GroupWise 6.5.x should immediately upgrade all GroupWise clients, GroupWise agents (MTA, POA, GWIA & WebAccess) to GroupWise 6.5 post-SP6 dated May 22, 2007 or newer. Additionally, lock out all GroupWise client software older than May 22, 2007 via ConsoleOne.
GroupWise 6.x and previous versions
Previous versions of GroupWise are no longer developed or supported. It is recommended to update to the latest version of GroupWise 6.5.x or 7.x.
Note:The agents must be updated prior to applying the client update. Otherwise, the client will report an error as it attempts to connect to the older agent.
For instructions on locking out older client software versions, refer toTracking and Restricting Client Access to the Post Office.
If running in a mixed GroupWise client environment -- for example, if a BlackBerry Enterprise Server (BES) is installed in a GroupWise 7 environment -- make sure to lock out older client software based on client date rather than client version. The recommended BES configuration uses the GroupWise 6.5 client.
1) The multi-lingual GroupWise 7SP2 client hot patch had a build issue with some of the language resource files. Therefore, the multi-lingual GroupWise client will display some English. Development is making a new mulit-lingual build that will be available early next week (week of June 4-8, 2007) This does not affect the GroupWise English only client. Our multi-lingual customers may want to wait until this is released before applying the hot patch. This does not affect the GroupWise 6.5 post SP6 hot patch.
2) In WebAccess when selecting a user from the Address Book, the To: field will appear blank. Development is aware of this issue and is working towards a resolution.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.