Cool Solutions

Novell Info: GroupWise WebAccess Security Issue



By:

January 30, 2009 9:28 am

Reads:10,284

Comments:11

Score:Unrated

We have issued several TIDs and will be releasing Hot Patches today for 7.0.x and 8.0.x code bases.

For your reference the TIDs are: 7002319, 7002320, 7002321, and 7002322.

We also sent an email to every PSE/DSE yesterday.

Novell/GroupWise takes every report of a security vulnerability very seriously. As security issues go, these reported today are very addressable by basic network measures – like firewalls, spam and virus protection.

However, we have made some changes in the WebAccess code to make sure that even in the event the network is not protected, they will not be affected by these malicious activities.

Please review the TIDs for more information…

As you know, security breaches are much more about ‘who’ gets credit for finding them then they are about how serious or real the issue is. This is a very low severity threat/concern. But an issue nonetheless.

Here is a link to the news article…

http://www.theregister.co.uk/2009/01/30/novell_groupwise_vulns/

We do not disclose the exact details of any security breach so that it gives time for administrators to update their systems without malicious individuals having all of the knowledge to exploit any affected areas. Even after a patch is provided and sufficient time has been given to update, not every administrator will be able to act immediately and some may decide not to act at all and simply follow their own update/deployment schedules.

This is one of those issues, like all security issues, that should be taken seriously. However, it is our opinion that the risk of actual attack or breach is extremely low.

Dean

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading ... Loading ...

Categories: GroupWise Blog

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

11 Comments

  1. By:gburg

    Dean,

    The TIDs state that this vulnerability also applies to GW65.x.
    I see hotfixes for GW7 and GW8.

    Will there be fixes for GW65.x too ?

    Gert
    http://www.GWCheck.com

    • By:dlythgoe

      If you have a customer or are a customer running GroupWise 6.5, please contact Novell support and discuss what options are available to you.

      As you know, GroupWise 6.5 has been in the ‘end of life’ cycle since last May. There are a few customers that have purchased extended support for GroupWise 6.5, but we know of very few customers that are still running GroupWise 6.5.

      The best option, not only for security reasons, but for so many other reasons and advantages is to upgrade to GroupWise 8 :)

      Dean

  2. By:billperp

    I always ask this, but. . .

    Can we also use the fast GW update system proposed by Alex here:

    http://www.novell.com/communities/node/1569/cool-blog-doing-stuff-updating-groupwise

    Or do we need to go through the whole formal installation as shown in the readme?

    We don’t have a lot of time to do updates like this, so anything that can save time is appreciated.

    Thanks.

    Bill

    • By:aevans

      Yes, you can use my patented fast-update-method. The security fixes are in the WebAccess application, not the WebAccess agent or POA/MTA. There is a security update in the GWIA though.

  3. By:dlythgoe

    There have been a few members of the GroupWise community that have reached out to Alex and I in the spirit of doing the right thing and communicating the right tone about this security issue. We appreciate not only your involvement and feedback, but the very professional way in which you have requested a ‘better’ response from us.

    Instead of a simple reply to these individuals, I decided it would be best to simply post in the same public places we have been having the discussion.

    The criticism received has to do with the our characterization of this security issue. You have been concerned that we were not treating this with the level of urgency and seriousness of the problem. Specific examples were used to demonstrate that not ‘just’ regular network security processes would protect you.

    I appreciate this feedback and I apologize. You are absolutely correct. This , along with all security related bugs, should be treated with the utmost concern and seriousness. We would never recommend not deploying a security related patch and I am sorry if this is the impression we left you. I hope you know that was not the intention.

    It is sometimes a fine line between communicating a security issue and all out hysteria. We want the GroupWise community to be informed and to treat all security issues with the appropriate amount of attention. You should deploy security patches as soon as possible. You should take the appropriate measure to protect your network and your users.

    These particular code fixes affect GWIA and the WebAccess servlet. In order to protect your system, these need to be updated with the patches provided. If you run any of these components on the same server as a POA or MTA, those components will require updating as well.

    Thank you for the opportunity to clarify and I hope this discussion better meets expectations.

  4. By:WalterH

    Hi,

    the German Windows HP1 client is more bad then the original GW 8.0 client!

    1. The Quick Correct is broken and I lost all my abbreviations,.
    2. The client in caching mode hangs the PC for 30 to 60 seconds while syncing the caching mailbox.
    Both issues makes the HP 1 client unusable!

    3. the installation bug with two languages configured in setup.cfg is not fixed.

    I guess that most bugs are not fixed – why a HP1 with so many errors?

    Walter

    • By:dlythgoe

      Walter,

      Thanks for reporting these.

      1. QuickCorrect – this was a regression we found after we shipped the HP. It appears to affect some users in some cases. We are working on a fix.

      2. Caching mode hang. We are not having anyone else report this. We can not duplicate. We need more details – please contact support.

      3. two languages in setup.cfg. This has been fixed and will be available when 8.0.1 ships. This was found in 8.0 and is not a regression in HP, just not fixed yet.

      The HP only contains fixes for about 90 issues. We tried to tackle the most critical and was not intended to be a large release or one that may resolve all issues. We have found that this provide more stability from release to release. It is also the reason we are targeting only defect fixes and not enhancements in any of the Hot Patches or Support Packs.

      Dean

  5. By:paulgear

    It is rather irresponsible (i would say unethical) to downplay security bugs as you have done in this notification. Here are some excerpts from the article you linked to:

    * “One vulnerability allows an attacker to forward all of a user’s email simply by sending a specially crafted email” …
    * “The cross-site request forgery bug allows attackers to add new forwarding rules simply by tricking a user into opening the email, no clicking of links necessary.”
    * “A second security vulnerability is the result of a persistent cross site scripting (XSS) error that allows attackers to remotely run code on a user’s computer. Miscreants could exploit the flaw by inserting malicious javascript into an HTML email or by including an HTML attachment.”

    To suggest that there are any ways to combat this other than good code inside GroupWise is to suggest that the responsibility for processing email reliably and securely doesn’t lie with GroupWise. Security and stability has always been GroupWise’s strong point. Don’t wreck it with this sort of nonsense. It verges on the spin we hear out of Microsoft and Apple.

  6. By:rovabu

    The news article of ‘The Register’ states:

    “One vulnerability allows an attacker to forward all of a user’s email simply by sending a specially crafted email, according to Adrian Pastor, an employee for ProCheckUp, a penetration testing firm based in London. The cross-site request forgery bug allows attackers to add new forwarding rules simply by tricking a user into opening the email, no clicking of links necessary.”

    If you want to quickly check whether such ‘rogue’ rules exist in your user’s mailboxes, use GWAVA’s Vertigo. Here’s a link to a Flash movie which shows how to use Vertigo this specific purpose:

    http://download.gwava.com/vertigo/camtasia/rules/Rules.html

  7. By:kjhurni

    Unfortunately it looks like we’ll be needing a fix for the fix. (this reminds me of 703 HP1 all over again, unfortunately).

    If you apply 703 HP2 to your WebAccess Application code, you will find that it breaks the Basic Interface from being able to send email.

    You’ll get the following error:

    Compile Error: seltime.inc: Line 36: ) was encountered. } was expected.. Cannot load file: send.htt.

    Now, if you have a backup I’m told you can replace the files from before the fix.

    Or hopefully there will be a post HP2 patch or something as well.

    These last two HP have not inspired a great deal of confidence here.

    • By:dlythgoe

      I believe you mean 7.0.3 HP2 – it can be so confusing :)

      Mistakes can happen – even on the most simplest of things….

      We did discover this problem and it was reported by a few of our customers that the Simple Interface for WebAccess was broken in this update. NTS can get you the fix… it also can be fixed by a small change to one file on your server. A TID is forthcoming.

      We are certainly committed to not having any regressions. This is unfortunate. We want to be building confidence for Kevin and for the entire install base. Perfection can be elusive, but progressive.

      Dean

Comment

RSS