COMMAND

    GroupWise

SYSTEMS AFFECTED

    Novell GroupWise 5.5 Enhancement Pack Web Access

PROBLEM

    Adam Gray found following.  There is a DOS attack that can be  run
    against Novell  GroupWise Web  Access 5.5  Enhancement Pack.   The
    Java Server is possible to crash with a long character string sent
    to the servlet gateway  using a web browser.   This DOS can  cause
    the Netscape web server to abend, the Java.nlm to take all of  the
    processor  utilization,  or  the  post  office  can  simple   stop
    responding.  This DOS attack will kill any active GroupWise  based
    connections  to  the  GroupWise  server.   The  server   typically
    requires a reboot to fix the problem.  This bug has been confirmed
    by Novell with instruction from novacoast.  Exploit:

        http://servername/servlet/<garbage string of characters 200 or more>

SOLUTION

    GroupWise Enhancement Pack 5.5 Sp1.  This patch is still in  beta.
    It should be released in the  next few weeks.  It can  be obtained
    by contacting Novell Technical Support.