RIM this week released a security advisory to address a vulnerability in the BlackBerry Administration API included in the BlackBerry Enterprise Server that may allow an attacker with user permissions granted to the BlackBerry Administration API to disclose sensitive information or cause a denial-of-service condition.
BlackBerry Enterprise Server administrators are encouraged to review the BlackBerry security advisory KB27258 and apply any necessary updates to help mitigate the risks.
The BlackBerry Administration API is a BlackBerry Enterprise Server component that is installed on the server that hosts the BlackBerry Administration Service. The BlackBerry Administration API contains multiple web services that receive API requests from client applications. The BlackBerry Administration API then translates requests into a format that the BlackBerry Administration Service can process.
This issue affects the BlackBerry® Administration Application Programming Interface (API) component within the BlackBerry Administration Service component of the following software versions:
• BlackBerry® Enterprise Server version 5.0.0 for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise (with the BlackBerry® Administration API component installed as an option only)
• BlackBerry® Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM Lotus Domino (with the BlackBerry® Administration API component installed as an option only)
• BlackBerry® Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange
• BlackBerry® Enterprise Server Express versions 5.0.2 and 5.0.3 for IBM Lotus Domino
• BlackBerry® Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino
• BlackBerry® Enterprise Server versions 5.0.1 for GroupWise
Updates form RIM are available here:
BlackBerry smartphones and BlackBerry Device Software are NOT affected