March 14, 2008
A security vulnerability exists in the GroupWise® Windows* client API that can allow programmatic access to non-authorized e-mail under certain conditions. The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. The attacker could then exploit the vulnerability to gain unauthorized access to non-shared e-mail in the mailbox of the sharer.
Users who have shared folders with other users can protect their e-mail by removing shared access until remedial steps have been completed. It is not necessary to delete the contents of the shared folders and the folders can be re-shared after the administrator has locked out older client versions. To remove shared access to a folder in the GroupWise client, select the shared folder, click , then select .
Administrators should lock out earlier versions of the GroupWise client in post offices where shared folders are in use.
In ConsoleOne®, right-click the Post Office object, then click .
Click .
Select , specify March 9, 2008, then click .
Repeat this procedure for each post office in your GroupWise system where shared folders are in use.
GroupWise 6.5 Windows client users should immediately update to GroupWise 6.5 SP6 Client Update 3 (dated March 11, 2008), in order to avoid being locked out of their post offices.
GroupWise 6.5 Cross-Platform client users should update to GroupWise 7 SP3 (dated March 11, 2008) as soon as their post offices have been updated to GroupWise 7. In the meantime, they should use the WebAccess client while the GroupWise 6.5 Cross-Platform client is locked out of their post offices.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.