Cool Solutions

GroupWise 2012 SP2 Releases!

Dean Lythgoe

By:

April 16, 2013 12:25 pm

Reads: 18

Comments:0

Score:0

Today, Novell announced the release of GroupWise 2012 SP2. This support pack releases eight months after SP1 and contains not only the expected set of fixes, new platform support, and increased reliability, but also contains some significant new functionality. GroupWise 2012 SP2 also includes technology called GroupWise Coexistence Solution for Exchange.

Update Today!

Organizations should follow best practices when deploying SP2 or when upgrading from a previous release of GroupWise. There are not special instructions or procedures to simply update to this version of GroupWise

GroupWise Coexistence Solution for Exchange while embedded in the existing components of GroupWise and part of the GroupWise 2012 SP2 code, this technology does require additional licensing and costs. In addition to purchasing this technology, an administrator must enable and configure Coexistence in order to get the benefits of this solution. If you do have questions, please read this recent blog post that discusses the features, benefits, and reasons that your organization may be interested in this technology and solution.

Security Alert

In addition to the release of GroupWise 2012 SP2, Novell is simultaneously releasing a security hot patch for GroupWise 8. This is called GroupWise 8.0.3 HP3 and contains ONLY these security fixes in the GroupWise 8.0.3 HP2 code base. Both GroupWise 2012 SP2 and GroupWise 8.0.3 HP3 contain the fixes for the following security issues.

Description: The GroupWise Client for Windows is vulnerable to a scripting exploit where by enticing a user to run a malicious script embedded within the body of an email message, a remote attacker could execute arbitrary code on vulnerable Windows workstations running the GroupWise client.

Affected versions: GroupWise Client for Windows 8.0x up to and including 8.03 HP2 GroupWise Client for Windows 2012 up to and including 12.0.1 HP1
Previous versions of the GroupWise Client for Windows are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise Windows clients to version 8.0.3 Hot Patch 3 or 2012 SP2 in order to secure their systems.

Resolution: When a user opens a message containing a Javascript or ActiveX script, the GroupWise 8.x and 2012.x clients for Windows display a warning inside of the message window that indicates that GroupWise has blocked a script from running, and which gives end-users the option to allow the script to run by clicking on the yellow warning banner: (“GroupWise has restricted this webpage from running scripts or ActiveX controls that could access your computer. Click here to allow access.”)

To allow administrators to prevent potentially harmful scripts from running on their end-users’ workstations, the GroupWise 8.0.3 HP3 and GroupWise 12.0 Support Pack 2 clients include support for a new Windows registry key that will configure the GroupWise client for Windows to disable the “Click here to allow access” functionality, which will prevent end-users from running scripts embedded within HTML messages.

To block the ability to run scripts in the GroupWise 8.0.3 HP3 and 2012 SP2 clients for Windows, administrators will need to do the following:

  1. Create a new DWORD (32-bit) registry value under HKEY_CURRENT_USER\Software\Novell\GroupWise\Client\Setup\
  2. Enter “HTMLScriptsBlocked” (minus the quotes) in the “Value name” field
  3. Enter “1″ (minus the quotes) in the “Value data” field”
  4. Click OK to save the new DWORD value

Administrators can push out that registry setting to their Windows workstation using Novell ZENworks Configuration Management or another workstation-management utility.

With the new HTMLScriptsBlocked registry entry added to Windows, the GroupWise client will still display the yellow script warning, but if the user clicks on the warning message, the script will not run. NOTE, adding this registry key to a Windows workstation will prevent ALL scripts from running within the GroupWise client, not just malicious scripts.

This vulnerability was discovered and reported by Bartlomiej Balcerek at Wroclaw Centre for Networking and Supercomputing

Novell bug 799673, CVE-2013-1087

Related TID 7012063

=========================

Description: GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) issue whereby an attacker could exploit a vulnerability in the “onError” attribute to execute a malicious script in a user’s browser session.

Affected versions: GroupWise 8.x WebAccess up to and including 8.03 HP2
GroupWise 2012 WebAccess up to and including 12.0.1 HP1
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their WebAccess servers and associated Domains to version 8.03HP3 or 2012 SP2 in order to secure their system.

Resolution: To resolve this vulnerability, apply GroupWise 8.0.3 HP3 (or later), or GroupWise 2012 Support Pack 2.

This vulnerability was discovered and reported by Bartlomiej Balcerek at Wroclaw Centre for Networking and Supercomputing

Novell bug 802906, CVE-2013-1086

Related TID 7012064

Windermere is Next!

Coming soon will be Windermere! The authorized beta is scheduled to begin in just a few weeks and the team is now code complete on the project. Code validation, cleanup, beta and customer feedback and review, and production ready installations. That is what the team will be doing over the next several months in preparation for an end of year release.

Dean

VN:D [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Announcements, GroupWise, Technical

Comment

RSS