You are here

T-668: Vulnerability in a BlackBerry Enterprise Server component could allow information disclosure and partial denial of service

July 14, 2011 - 7:20am

Addthis

PROBLEM:

Vulnerability in a BlackBerry Enterprise Server component could allow information disclosure and partial denial of service

PLATFORM:

Affected Software >> BlackBerry Enterprise Server (BES) version(s) 5.0.0 for API/MS Exchange (Admin API Option Only), BES/Express version 5.0.2 & 5.0.3 IBM Lotus Domino , BES 5.0.1, 5.0.2 & 5.0.3 for MS Exchange, IBM Lotus Domino, BlackBerry Enterprise Server versions 5.0.1 for GroupWise

ABSTRACT:

This advisory describes a security issue in the BlackBerry Administration API component. Successful exploitation of the vulnerability could result in information disclosure and partial denial of service (DoS). The BlackBerry Administration API is a BlackBerry Enterprise Server component that is installed on the server that hosts the BlackBerry Administration Service. The BlackBerry Administration API contains multiple web services that receive API requests from client applications. The BlackBerry Administration API then translates requests into a format that the BlackBerry Administration Service can process.

reference LINKS:

BlackBerry Security Advisory - KB27258
BlackBerry Administration Service
Software Download for BlackBerry Enterprise Server & BlackBerry Enterprise Server Express

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability exists in the BlackBerry Administration API which could allow an attacker to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files. Binary file formats, including those used for message storage, are not affected. This vulnerability is limited to the user permissions granted to the BlackBerry Administration API component.

Solution:

RIM has issued the following releases and interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server:
BlackBerry Community Support
 

Addthis