Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Cisco all but kills Cius tablet computer
Windows 8 Update: Steve Ballmer's 80-inch Windows 8 tablet
Gartner: Don't trust cloud provider to protect your corporate assets
Take me out to the ballgame, with 4G
Most OpenOffice users run Windows
Smartphones with quad-core chips and 4G LTE coming soon
Government alarm over cyberattacks validated by terrorists
Lawmakers call on DOJ to reopen investigation into Google Wi-Fi spying
Researchers propose TLS extension to detect rogue SSL certificates
IaaS: Renting on-demand technology
Yahoo Axis may be game changer for search and the troubled company
Android, Apple Own 80% of Global Smartphone Market; Microsoft's Share, 2.2%
Managing Mobile Mania
Proposed New York Legislation Would Ban Anonymous Online Comments
Supercomputer to connect to 400PB of storage via Ethernet


/
Send to a friend Feedback

GroupWise users fight mystery bug

Related linksToday's breaking news
Send to a friendFeedback

By Deni Connor
Network World, 08/20/01

PROVO, UTAH - Network managers who administer Novell's newest version of GroupWise are scrambling to fend off a bug that can severely compromise network security and e-mail systems.

The problem, which Novell calls "extremely serious," appears in every GroupWise 6 and GroupWise 5.5 Enhancement Pack installation, although not other versions. It affects both the client and server portions of the e-mail/collaboration software and is severe enough that Novell has issued a patch called Padlock Fix, which the company is telling its users to apply immediately.

Your reaction
Join the discussion on this issue.

However, Novell is not telling administrators what the bug is or how to duplicate it, saying that it wants to give customers time to patch their systems before anyone can exploit the vulnerability.

"If you look at divulging details about a security issue out in public, then having customers do a firefight to get their systems updated, it's an impossible task for them to do that," says Paul Turner, director of product management at Novell. "We're taking some hits on this because we are literally asking network managers to go against their nature" and apply the patch without full knowledge of the problem.

Chris O'Brien, network manager for Olivet Nazarene University in Bourbonnais, Ill., is suspicious of Novell's advice.

"If the patch actually fixes a serious security problem, I have no problem putting it on as soon as possible," says O'Brien. "What does make me hesitate is the urgency combined with the secrecy of the problem. Applying a fix without knowing what it will do, makes me nervous."

While most network managers don't want to ignore Novell's advice, they say Novell is wrong to not tell them the impact the bug will have on their systems.

"Novell doesn't have to reveal how to use the exploit, but they should report on the consequences of not patching the system," says Pat Riley, data systems manager for the Pierce County Fire Department in Gig Harbor, Wash. "What is exposed? Would it cause a server to crash? Does it expose the GroupWise message store to browsing? Does it allow a user to see another user's messages?"

GroupWise has 25 million users and ranks third behind Lotus Notes and Microsoft Exchange in market share.

Initially, network managers thought the cause of the problem was a bug reported by Adam Gray, CTO of Novacoast on the Help Net Security site, which exposed individual user's security credentials. According to Novell and Gray, this bug was fixed with the GroupWise 5.5 Enhancement Pack Service Pack 3, which shipped in July. The bug the Padlock Fix patches is unrelated to Gray's bug, and Novell has disclosed virtually nothing about it.

Jeff Sessler, assistant director of technical services at Scripps College in Claremont, Calif., wasted no time applying the patches.

"We've already applied the patches," Sessler says. "As for the clients, we are using Novell's ZENworks for Desktops to deploy the client patch when users log in next. By 8:30 a.m. last Wednesday, 90% of my users already had the patch installed."

A net manager on Novell's GroupWise forum indicated that he had 80 post offices to patch, and at five minutes per post office it would take almost seven hours to apply the server patch. In its warning to customers, Novell says to apply the patch to post offices on servers before workstations. The company says that even though it is still necessary to patch workstations, the performance effect of the bug on workstations will be unnoticeable.

Customers are also grumbling about the size of the patch.

"From what I have read, only a few files are replaced by the Padlock update, yet it's over 28M bytes [in size]," Riley says. "Even if you accounted for every supported version of GroupWise, it would be difficult to end up with 28M bytes of compressed [files]. For me, this begs the question, 'What really is in the Padlock patch?'"

David Strickler, a consultant with GroupWise integrator DWS, says the patch consists not only of the bug fix, but also script files that help in distributing the patch.

The Padlock Fix can be downloaded from http://support.novell.com/padlock/.

Best practices: patches and service packs

Experts recommend that you:

1. Test the patch on a test network first.

2. Back up your network before applying the patch.

3. Talk with other users about their experiences applying the patch.

4. Apply patches in order of release.

5. In most cases, only apply the patch if something is broken.

Network managers such as Riley also expressed a general distrust of service packs from Novell, saying past fixes have been unsuccessful or introduced new problems into the system.

"Patches were scary," says Mike Shaw, a security consultant in Birmingham, Ala. "Patching GroupWise was definitely a Friday night, 'hope I get it up by Monday morning' event."

"Service Pack 1 for GroupWise 5.5 was a nightmare," Riley says. "I had to restart the Service Pack 1 patch several times before I finally made it through the entire process. It took hours."

Although the problem Novell is fixing has been present in GroupWise 5.5 Enhancement Pack for a couple of years, Novell just recently discovered it, Turner says.

"It's terrible timing for us and the whole industry because so many security issues have been brought out with everyone's software lately," Turner says. "We could have used the sleep."

Related Links

Contact Senior Editor Deni Connor

Other recent articles by Connor

Novell's Padlock fix

Reaction: Here's what some Fusion users are saying about this issue: What do you think? Add your comments to the thread

Review: Novell's GroupWise 6 is No. 1 with a bullet
Network World, 06/04/01.

Rumors of GroupWise's demise are greatly exaggerated
Network World, 07/16/01.

Novell news page
Stay up to date on Novell's product, financial and company news.

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.