-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Multiple vulnerabilities have been fixed in GroupWise 8.0 SP3
3 October 2012
AusCERT Security Bulletin Summary
Product: Novell GroupWise 8
Operating System: Netware
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
CVE Names: CVE-2012-4912 CVE-2012-0419 CVE-2012-0418
Member content until: Friday, November 2 2012
Multiple vulnerabilities have been fixed in Novell GroupWise 8.0 SP3.
The vendor has provided the following information: 
"GroupWise WebAccess is vulnerable to a cross-site scripting (XSS)
exploit where input passed via an HTML email is not properly sanitized
before being displayed to the user, whereby an attacker could
potentially insert arbitrary HTML and script code that will be executed
in a user's browser session."
"The HTTP interfaces for the GroupWise agents are vulnerable to an
arbitrary file retrieval condition due to a failure to properly filter
certain crafted directory traversal sequences. An unauthenticated
remote attacker can leverage this flaw to retrieve files with the
privileges of the vulnerable agent(s)."
"The GroupWise Client for Windows is vulnerable to an exploit where by
enticing a target user to open a malicious file, a remote attacker can
leverage the vulnerability to gain remote code execution within the
security context of the affected user, or crash the affected
"The GroupWise Internet Agent (GWIA) is vulnerable to an integer
overflow exploit that could potentially allow an unauthenticated
remote attacker to execute arbitrary code on vulnerable installations
Users should install SP3 Hot Patch 1.
 GroupWise 8.0 SP3 Hot Patch 1 Full Release for Windows and NLM
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----