Research in Motion (RIM) has released patches to address the serious security vulnerability in a BlackBerry Enterprise Server component. Exploitation of this security hole could lead to information disclosure and partial denial of services (DoS), the company informed in an advisory.
A vulnerability in the BlackBerry Administration Application Programming Interface (API) could allow attackers to access files containing only printable characters, including unencrypted text files. Binary file formats and formats used for message storage are not affected, reports RIM. It’s limited to user permissions granted to the API component, and successful exploitation may allow information disclosure. The vulnerability may also result in resource exhaustion, which could be used to perform a partial denial of service (DoS).
It affects the BlackBerry Administration Application Programming Interface (API) component within the BlackBerry Administration Service component of the BlackBerry Enterprise Server Express versions 5.0.x for IBM Lotus Domino, Microsoft exchange and BlackBerry Enterprise Server versions 5.0.x for IBM Lotus Domino, Microsoft exchange and Novell GroupWise.
The company said in its advisory that BlackBerry devices and smart-phones are not affected by the vulnerability. RIM has also stated that its BlackBerry Device Software, BlackBerry Desktop Software and BlackBerry Internet Service remain unaffected.
The vulnerability has a CVSS score of 4.8 out of 10.0. RIM recommends that BlackBerry Enterprise Server administrators apply interim software patches released by RIM immediately to fix the problem. Details on patches for specific version can be found in this knowledge-base article.