Network managers who administer Novell Inc.'s newest version of GroupWise are scrambling to fend off a bug that can severely compromise network security and e-mail systems.
The problem, which Novell calls "extremely serious," appears in every GroupWise 6 and GroupWise 5.5 Enhancement Pack installation, although not other versions. It affects both the client and server portions of the e-mail/collaboration software and is severe enough that Novell has issued a patch called the Padlock Fix, which the company is telling its users to apply immediately.
However, Novell is not telling administrators what the bug is or how to duplicate it, saying that they want to give customers time to patch their systems before anyone can exploit the vulnerability.
"If you look at divulging details about a security issue out in public, then having customers do a firefight to get their systems updated, it's an impossible task for them to do that," says Paul Turner, director of product management at Novell. "We're taking some hits on this because we are literally asking network managers to go against their nature" and apply the patch without full knowledge of the problem.
Chris O'Brien, network manager for Olivet Nazarene University in Bourbonnais, Illinois, is suspicious of Novell's advice.
"If the patch actually fixes a serious security problem, I have no problem putting it on as soon as possible," says O'Brien. "What does make me hesitate is the urgency combined with the secrecy of the problem. Applying a fix without knowing what it will do, makes me nervous."
While most network managers don't want to ignore Novell's advice, they say it's wrong of Novell to not tell them the impact the bug will have on their systems.
"Novell doesn't have to reveal how to use the exploit, but they should report on the consequences of not patching the system," says Pat Riley, data systems manager for the Pierce County Fire Department in Gig Harbor, Washington. "What is exposed? Would it cause a server to crash? Does it expose the GroupWise message store to browsing? Does it allow one user to see another user's messages?" GroupWise has 25 million users and ranks third behind Lotus Notes and Microsoft Exchange in market share.
Initially, network managers thought that the cause of the problem was a bug reported by Adam Gray, CTO of Novacraft on the Help Net Security site, which exposed individual user's security credentials. According to Novell and Gray, this bug was fixed with the GroupWise 5.5 Enhancement Pack Service Pack 3, which shipped in July. The bug the Padlock Fix patches is unrelated to Gray's bug, and Novell has disclosed virtually nothing about it.
Jeff Shessler, assistant director of technical services at Scripps College in Claremont, Calif., wasted no time applying the patches.
"We've already applied the patches," Shessler says. "As for the clients, we are using Novell's ZENworks for Desktops to deploy the client patch when users log in next. By 8:30 a.m. Wednesday, 90 percent of my users already had the patch installed."
A net manager on Novell's GroupWise forum indicated that he had 80 post offices to patch, and at five minutes per post office it would take almost seven hours to apply the server patch. In its warning to customers, Novell says to apply the patch to post offices on servers before workstations. The company says that even though it is still necessary to patch workstations, the performance effect of the bug on workstations will be unnoticeable.
Customers are also grumbling about the size of the patch.
"From what I have read, only a few files are replaced by the Padlock update, yet it's over 28M bytes (in size)," Riley says. "Even if you accounted for every supported version of GroupWise, it would be difficult to end up with 28M bytes of compressed (files). For me, this begs the question, 'What really is in the Padlock patch?'" David Strickler, a consultant with GroupWise integrator DWS, says the patch consists not only of the bug fix, but also script files that help in distributing the patch.
Network managers such as Riley also expressed a general distrust of service packs from Novell, saying past fixes have been unsuccessful or introduced new problems into the system.
"Patches were scary," says Mike Shaw, a security consultant in Birmingham, Ala. "Patching GroupWise was definitely a Friday night, 'hope I get it up by Monday morning' event."
"Service Pack 1 for GroupWise 5.5 was a nightmare," Riley says. "I had to restart the Service Pack 1 patch several times before I finally made it through the entire process. It took hours."
Although the problem Novell is fixing has been present in GroupWise 5.5 Enhancement Pack for a couple of years, Novell just recently discovered it, Turner says.
"It's terrible timing for us and the whole industry because so many security issues have been brought out with everyone's software lately," Turner says. "We could have used the sleep."