The enterprise software vendor Micro Focus has released patches that address serious security issues in their GroupWise product.
GroupWise Administrators Should Apply the Latest Patches
The GroupWise enterprise software suite by Micro Focus (who acquired Novell in 2014) has been patched by its developers to amend serious security issues identified by security researchers. Different vulnerabilities were identified in GroupWise 2014 R2 SP1, the latest version of the software.
Two reflected cross-site scripting (XSS) flaws in the administrator console could be exploited by malicious users to execute arbitrary JavaSscript code. The criminal actions can incur remote control sessions by the malicious operators. These types of exploits can be run only of the victims activate malicious links in email messages or web sites.
The other identified issue is caused by a heap-based buffer overflow that affects the GroupWise Post Office Agent and WebAccess module. According to the report (identified as CVE-2016-5762), the flaw can be executed by entering a crafted value into the username and password fields of the sign-in page. Security implications include arbitrary remote code execution if no other protection measures are used.
The WebAccess feature is often accessible directly from the public web pages of the institutions and organizations that utilize GroupWise. Possible targets include major government and educational institutions in Austria, The USA, United Kingdom, South Africa, Hungary, Bulgaria, Argentina, and Canada.
The developer team of Micro Focus has released patches earlier this week to amend all known security vulnerabilities. All administrators are strongly suggested to update as quickly as possible to prevent possible intrusion attempts.