Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0133 Multiple vulnerabilities have been fixed in GroupWise 8.0 SP3 3 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Novell GroupWise 8 Operating System: Netware Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-4912 CVE-2012-0419 CVE-2012-0418 CVE-2012-0417 Member content until: Friday, November 2 2012 OVERVIEW Multiple vulnerabilities have been fixed in Novell GroupWise 8.0 SP3. IMPACT The vendor has provided the following information: [1] CVE-2012-4912: "GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit where input passed via an HTML email is not properly sanitized before being displayed to the user, whereby an attacker could potentially insert arbitrary HTML and script code that will be executed in a user's browser session." CVE-2012-0419: "The HTTP interfaces for the GroupWise agents are vulnerable to an arbitrary file retrieval condition due to a failure to properly filter certain crafted directory traversal sequences. An unauthenticated remote attacker can leverage this flaw to retrieve files with the privileges of the vulnerable agent(s)." CVE-2012-0418: "The GroupWise Client for Windows is vulnerable to an exploit where by enticing a target user to open a malicious file, a remote attacker can leverage the vulnerability to gain remote code execution within the security context of the affected user, or crash the affected application." CVE-2012-0417: "The GroupWise Internet Agent (GWIA) is vulnerable to an integer overflow exploit that could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA." MITIGATION Users should install SP3 Hot Patch 1.[1] REFERENCES [1] GroupWise 8.0 SP3 Hot Patch 1 Full Release for Windows and NLM http://download.novell.com/Download?buildid=O5hTjIiMdMo~ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGudfe4yVqjM2NGpAQIOxw/8CIwvPwXKX/tOmtCp1MCPSfna1LdcAfWZ nsPSAJ9SPiRlYd0fxes4iWkyp7c9u95HJaAukDzvauyVXhjr+MYrYgJ4OEOAdgbS jgNJMGbrGNRjJuQefCEmF0O/itaXYdsIAm/CAp/fA4GkRiU6P/2WKmu1216Nbkzc 1VYPEyKB9OBn3w0Lg9CO7Q5Ve5MZ/gNz4HyLAkCbbG33tU16diH+Ex28zKxzN8bV JzVbIgHQiSjXIez58l/P+Ruy4WjtKaRpcauK/moxcQwe2QI4IzZXh7/OHhZzbb5Y HxfZBHR/nArBUpsMpYUo9Y1+TXysQePhmxIrTUvBHqXKdr4RXZtohWKsDC+KawtE CXoS0fIoh7f/nyStbg1gygQeBXiZTHTgK4tcnOWQASgFdZUVwf1vuRCzQgSPIudO i0Yx0fKuqPTKt2+8l+PZWXoy+0RjowFqbyOOT3TsJeWtTj2m7uWbmKFCNCWr5WZF vM+VmvG79LEiBT8+DhI9m27i+hWlnWh36/iTgxi9xH+Avwo4O+LRg5ZcG3VsDj1H vByjEvsp0taOG6ogQ+pQzRoDksyuXtd9ByaSk7XOzpoyEv62I9+uM0UGZUTclHr9 +XSYSkJexLrZdX5hgCfrUTpY9S3oyQNUJVFfZY5Cg1ncLVKVDo3V+f8aCVdrQWBy 9S5ULeN+Lsw= =V+Lj -----END PGP SIGNATURE-----