Cross site scripting vulnerability in the BlackBerry Enterprise Server MDS Connection Service

Article ID: KB17969

Type:   Security Advisory

First Published: 04-16-09

Last Modified: 03-14-2012

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Lotus Domino
Collapse Products
ExpandAffected Software
  • BlackBerry® Enterprise Server software version 4.1.6 MR4 and earlier
CollapseIssue Severity

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 3.5 .

CollapseOverview

This advisory describes a security issue whereby the MDS Connection Service of the BlackBerry Enterprise Server is susceptible to a potential cross site scripting vulnerability. The issue relates to the handling of malformed URLs .

Issue Status: Vulnerability confirmed. Software containing security update released.

ExpandRecommendation
Complete the resolution actions documented in this advisory.
ExpandReferences
CVE® Identifier: CVE-2009-0307
CollapseProblem

A security vulnerability exists in the MDS Connection Service of the BlackBerry Enterprise Server Version 4.1.6 MR4 and earlier. This vulnerability could enable externally supplied scripts to be executed in the security context of the user administering the MDS Connection Service using the BlackBerry MDS Connection Service administrative web page on port 8080 .

CollapseResolution

RIM has corrected this vulnerability in BlackBerry Enterprise Server version 4.1.6 MR5, and recommends that this update be installed for improved stability and security.

Visit http://www.blackberry.com/go/serverdownloads to obtain this update for affected BlackBerry Enterprise Server software versions.

CollapseWorkaround

The issue can be fully mitigated by disabling script execution within the browser. However, this may affect operation of the features of the BlackBerry MDS Connection Service administrative web page on port 8080. Partial mitigation can be achieved by logging in to the BlackBerry MDS Connection Service administrative web page on port 8080 using an account with lesser rights or from a system with a browser that supports enhanced security mode such as Microsoft® Windows Server 2003, Microsoft Windows Server 2008 or Microsoft Vista .

CollapseAdditional Information

CVE

Common Vulnerabilities and Exposures ( CVE ) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation .

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

BlackBerry Security

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseAcknowledgements

RIM thanks Ken Millar of Sensient Technologies Corporation, Michael Thumann of ERNW, and Martin O'Neal and Stephen de Vries of Corsaire for independently reporting this issue to RIM, and working with RIM to protect its customers .

CollapseChange Log

09-02-10

Updates to article formatting. No technical content changed.

04-23-09

The name of a BlackBerry Enterprise Server tool used to administer the BlackBerry MDS Connection Service was incorrectly given. This advisory has been updated to correct the name of the tool to "the BlackBerry MDS Connection Service administrative web page on port 8080."

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.