Forgot your password?

Information Disclosure Vulnerability Patched for BES 10 and BES 5.0.4

bb-kb

A vulnerability exists in the implementation of the logging of exceptions encountered during user or session management in affected BES10 and BES5 versions. During rare cases of an exception, certain credentials are logged in an encoded form or in plain text. For BlackBerry Enterprise Server 5, these credentials include shared secrets that are used between the Enterprise Instant Messenger server and device clients to encrypt enterprise instant messages. For BES10, they consist of shared secrets and domain credentials. Typically, only the system administrator would have access to the affected diagnostic logs.

Affected Software:

  • BlackBerry Enterprise Service 10 version 10 to 10.2.1
  • BlackBerry® Enterprise Server Express for IBM® Lotus® Domino® v5.0.4
  • BlackBerry Enterprise Server Express for Microsoft® Exchange v5.0.4
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® v5.0.4 MR 6 and earlier
  • BlackBerry® Enterprise Server for Microsoft® Exchange v5.0.4 MR 6 and earlier
  • BlackBerry® Enterprise Server for Novell® GroupWise® v5.0.4 MR 6 and earlier

BES 10 Resolution:

BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Service version 10.2.2 and later. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should update to BlackBerry Enterprise Service software version 10.2.2. Customers should also redact or delete existing logs if they contain domain credentials or shared secrets an encoded form or in plain text.

BES 5 Resolution:

BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Server version 5.0.4 MR7 and BlackBerry Enterprise Server Express v5.0.4 with Interim Security Update for August 12, 2014. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should download and install the interim security update. Customers should also redact or delete existing logs if they contain shared secrets an encoded form or in plain text.

Some of the patches have already been released as far back as April, with some of the newest interim updates being released yesterday in the case of BES5 Express.

Full details can be found within KB36175 published yesterday.

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC