FAQ


Good Mobile Messaging - Security Bulletin

18431: Good Mobile Messaging - Security Bulletin Article ID: 18431
Product: GMM Server
Date: 13 February 2009
Updated: 21 May 2009

Title: Good Mobile Messaging - Security Bulletin

Executive Summary:

This security bulletin addresses a potential vulnerability with one of the third party libraries used by Good Mobile Messaging Server for converting attachments to text when choosing the "View as Text" option from the Good Messaging client. While Good Messaging does not use the full suite of capabilities that these third party libraries provide and it is possible we do not suffer from this vulnerability, your organization may still be at risk. The potential vulnerability could allow an attacker to send an electronic mail message with an attachment to a Good Messaging user. When the user chooses to "View" the attachment, this vulnerability could be exploited resulting in the attacker gaining "Good Admin" user privileges.

Good Technology considers this vulnerability to be a very serious security issue and strongly recommends that you implement the fix in the resolution section of this KB.

Resolution:

Upgrade your Good Mobile Messaging Server to a hot fix version as noted below. The hot fix will replace the older libraries with newer libraries. The newer libraries address the vulnerability described above. This hot fix addresses a potential vulnerability with one of the third party libraries used by Good Mobile Messaging for converting attachments to text when choosing the "View as Text” option from the Good Messaging client.  This hot fix shall be applied against Good Messaging Server for Exchange and to Good Messaging Server for Exchange.

This resolution applies to Good Messaging Server for Exchange and Good Messaging Server for Domino.

1.    Download the hot fix for your corresponding Good Mobile Messaging server below.

2.    Run the hot fix installer on each instance of Good Mobile Messaging Server. You do not have to upgrade Good Management Console or Good Mobile Control server (formerly known as Good Administration Center) or Good Mobile Access Server. (formerly known as Good Mobile Connection server or GMx).

  1. Good Messaging Server for Exchange hot fix download:

Customers running Good Messaging for Exchange 6.0.0.106 simply upgrade to this hot fix version: 

ftp://goodcust:g00d4Me!@ftp.good.com/gmm_server_exchange_6_0_0_125_hotfix.exe

If applying hot fix to Good Messaging Server for Exchange 5.0.4.28 then use the following package:

ftp://goodcust:g00d4Me!@ftp.good.com/gmm_server_exchange_5_0_4_53_HotFix.exe

Customers on older versions of Good Messaging Server for Exchange will have to upgrade to Good Messaging Server 5.0.4.28 first, in order to utilize this hot fix.

  1. Good Messaging Server for Domino hot fix download:

If applying hot fix to Good Messaging for Domino 6.0.0.108 simply upgrade to this hot fix version:

ftp://goodcust:g00d4Me!@ftp.good.com/gmm_server_domino_6_0_0_126.exe

If applying hot fix to Good Messaging for Domino 5.0.4.27 simply upgrade to this hot fix version:

ftp://goodcust:g00d4Me!@ftp.good.com/gmm_server_domino_5_0_4_54.exe

Customers on older versions of Good Messaging for Domino will have to upgrade to Good Messaging Server  5.0.4.27 first, in order to utilize this hot fix.

(if the links do not work please cut and paste the address into your browser window)

Important: Please do not do a straight upgrade from 5.0 to 6.0. Visit our public documentation site at http://www.good.com/corp/int_support.php?id=492 for more info on how to migrate from Good 5.0 to Good 6.0.

Work around:

Please remove GdFileConv.exe from the Good Mobile Messaging server. By default the file is found in C:\Program Files\Good Technology\Good Messaging Server\bin

        Steps:
        1. Log into the machine with Good Mobile Messaging Server.
        2. Shutdown the GoodLink Server service.
        3. Remove the file GdFileConv.exe or optionally rename it
        4. Restart the GoodLink Sever service

        Please repeat the above steps with each machine that has an instance of Good Mobile Messaging server. If the Good Mobile Messaging server software is re-installed, or upgraded, then the file GdFileConv.exe will be re-installed and the above steps will need to be repeated.

        Side Effects:
        When user chooses to 'View' as text on the Good Client, the following error will be displayed - "Cannot Download the attachment. Format conversion failed on the server".

Alternate Work around:
Users can choose "View High Quality" which uses native viewers such as Pocket Word, Pocket Excel or Docs2Go on Palm OS devices instead of "View as Text" option. Please refer to Chapter 2 of the "User's Guide for All Supported Handhelds" for more information