GroupWise: Security Alert: GroupWise 8.0.x


Novell is releasing a FTF (Field Test File) for a security related issue with GroupWise 8.0.x This issue was already resolved in the original release of GroupWise 2012 and GroupWise 2012 is not susceptible to this issue.

Download the Patch

Description: The GroupWise Client for Windows is vulnerable to an exploit where a malformed address book could cause heap memory corruption, which could lead to remote code execution under the privilege of the user that opened the address book. The exploitation of the bug requires user/programmer intervention. Simply using the 8.0.x client does not expose you to any security issues. In order for a user’s workstation to be affected, an end user would actually need to receive and open one of these "malformed" address books, so the security concern can also be mitigated by educating your end-users.

This issue was reported by Protek Research Lab who specializes in searching for and reporting potential issues with software products. This issue has not been reported by any customer.

We will continue to disclose and communicate all security issues that are reported to us and that we have fixed in a particular release of our product.


Affected versions:

GroupWise Client for Windows 8.0x up to and including 8.02HP3.
Previous versions of GroupWise are likely also vulnerable but are no longer supported.

Novell bug 733885, CVE-2011-4189

Related TID: 7010205: Security Vulnerability - GroupWise 8 Windows Client Address Book Remote Code Execution Vulnerability

As stated in previous blog posts:

Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best. We do stress - All security issues should be taken seriously and patches applied. Please follow Best Practices guidelines for updating your system when applying this patch.


Please know that this fix will also be included in GroupWise 8.0.3 which is scheduled to release in just a few short weeks and because you will be required to roll out a new Windows Client in order to protect your organization against this vulnerability, you may decide to wait until 8.0.3 is released.

If you are running GroupWise 6.x or 7.x, you will need to upgrade to at least GroupWise 8.0.2 HP3 and this FTF in order to be fully protected. If you are running GroupWise 2012, you already have this fix.



New Release-Feature
Comment List
Related Discussions