Overview
Novell GroupWise is an email storage program. Email is encrypted when stored. Usernames and passwords can be acquired by sniffing communications between the client and server.
Description
In Novell GroupWise email is stored as encrypted data. Clients and servers operating in Live Remote or Smart Caching mode improperly set a flag. This allows an attacker sniffing communications between the client and server to acquire usernames and passwords. As a result, an attacker can read all email stored in the GroupWise system on an account by account basis. The following versions of the clients and servers are affected by a this vulnerability:
Client and server versions of GroupWise 5.5 and prior, and GroupWise 6 SP1 are not vulnerable. Novell has released technical details regarding this vulnerability. |
Impact
Any user on the system can read all emails on that system on an acount by account basis. |
Solution
Novell has released a patch, available at http://support.novell.com/padlock. Both the client and server must have patches applied. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Our thanks to "Zig Ziggler"
This document was written by Jason Rafail.
Other Information
| CVE IDs: | CVE-2001-1231 |
| Severity Metric: | 0.17 |
| Date Public: | 2001-08-14 |
| Date First Published: | 2002-01-31 |
| Date Last Updated: | 2002-01-31 21:39 UTC |
| Document Revision: | 10 |