Novell is releasing a FTF (Field Test File) for a security related issue with GroupWise 8.0.x This issue was already resolved in the original release of GroupWise 2012 and GroupWise 2012 is not susceptible to this issue.
Description: The GroupWise Client for Windows is vulnerable to an exploit where a malformed address book could cause heap memory corruption, which could lead to remote code execution under the privilege of the user that opened the address book. The exploitation of the bug requires user/programmer intervention. Simply using the 8.0.x client does not expose you to any security issues. In order for a user’s workstation to be affected, an end user would actually need to receive and open one of these “malformed” address books, so the security concern can also be mitigated by educating your end-users.
This issue was reported by Protek Research Lab who specializes in searching for and reporting potential issues with software products. This issue has not been reported by any customer.
We will continue to disclose and communicate all security issues that are reported to us and that we have fixed in a particular release of our product.
GroupWise Client for Windows 8.0x up to and including 8.02HP3.
Previous versions of GroupWise are likely also vulnerable but are no longer supported.
Novell bug 733885, CVE-2011-4189
As stated in previous blog posts:
Please know that this fix will also be included in GroupWise 8.0.3 which is scheduled to release in just a few short weeks and because you will be required to roll out a new Windows Client in order to protect your organization against this vulnerability, you may decide to wait until 8.0.3 is released.
If you are running GroupWise 6.x or 7.x, you will need to upgrade to at least GroupWise 8.0.2 HP3 and this FTF in order to be fully protected. If you are running GroupWise 2012, you already have this fix.