Zoals GroupWise kenners wel weten is GroupWise de best beveiligde Integrated Collaboration Environment die er op de markt te krijgen is, wat je ondermeer kunt zien aan de onafhankelijke CERT ratios op onafhankelijke sites als www.cert.org en www.us-cert.org. Toch ontspringt ook Novell niet helemaal de dans en op 31 mei 2007 kondigde Novell aan dat er een Hotpatch beschikbaar is voor een mogelijke " Man-in-the-Middle" attack.
De eerste versie van deze hotpatch is echter niet zonder problemen, Alex Evans (Novell) en Ken Muir (Novell) vertellen meer op deze pagina. |  |
Een aantal mensen hebben deze hotpatch direct gedownload en met name in
Europa leidde dit tot vragen c.q. problemen: zo kun je met de gepatchte
Windows32 client geen verbinding meer krijgen met oudere POA's
(op zich niet zo gek). Vervelender was dat de translation database het
liet afweten: de eerste builds van de hotpatch werken alleen goed in
het Engels. In de week van 4-7 juni moet dit worden opgelost met een
nieuwe build. Overigens is er ook een issue met WebAccess, zie hieronder.
Allereerst Alex Evans, Novell, op 1 juni 2007:
Yesterday we announced that we had fixed a GroupWise security vulnerability.
I am not posting to discuss the details of the vulnerability but I want to,
again, give you pointers on how to update your system. First, the TID - here.
Next, the files - they are all linked from the TID but for completeness 6.5 and 7.
Lastly, how to update - well I already blogged on this so I am just going to link you there and then add
a couple of fine points specific to this update.
A couple of differences on this one are that the POA’s all need to be updated
before you can install the new client or new GWIA and WebAccess. So, from this
point forwards, the 7.02 Hot Patch client can no longer connect to an older POA.
This is kind of a stake in the sand as, after this, the rule will reapply,
you’re just not going to be able to connect to a POA older than May 24 2007 with
a client dated May 24 2007 or later.
En dan deze bijdrage van Ken Muir in de NGWList.com op 1 juni 2007:
I'm going to go against policy here to help GroupWise customers because I think
it's the right thing to do. I will get heat over this but quite frankly, I
don't care. I would rather take care of our customers and meet your needs
better in helping you with this situation. I have talked to many customers
already personally to help them with their risk assessment. Bottom line... It
is Novell's obligation to provide customers with the most secure product we
can. It is our obligation that if we know of a security problem, to tell you
about it, provide a fix, and tell you that you must patch your system. We MUST
do this, period! So again, you need to patch your system.
Now... You can take the rest of this information and make your own decision
at your own risk.
1- Can a person in your organization sniff the wire communication between
the client and the server?
2- Can this person then analyze the packets and decode the GroupWise
protocol at the initial client/server handshake?
3- Can this person now write a server side program and mimics this
handshake and acts like a GW Agent?
4- Can this person setup a server on your network and have this program
running on it?
5- Can this person now get people in your organization to re-direct their
GroupWise client this new, "rogue" server?
If the answer to these questions, is yes, yes, yes, yes, yes... You had
better patch your system immediately. Otherwise, it's your call as to what
level of risk you are willing to accept. Again, Novell says you must patch your
system.
For our non-English client customers, we had a flaw in our translation DB
that caused some strings to not be translated. It is being fixed right now and
should be re-posted asap. A basic sanity check of non-English clients should
have caught this but for some reason, was not run. We will remedy the
situation.
--Ken
Ken Muir
Director of Software Engineering
 |
RSS feed Commentaar
Toon/Verberg commentaar