Security Vulnerability in Sun Java System Access Manager May Allow Administrator Access to Users Logged in As Root |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Sun Java System Access Manager 7 2005Q4
|
| Bug Id : | 6356879
|
| Date of Resolved Release : | 01-FEB-2006
|
A local user logged in as "root" on a system with Sun Java System Access Manager may be able to use the "amadmin" CLI tool to administer the Access Manager installation with the privileges of the top-level administrator (regardless of the credentials originally used to login to the Access Manager server). Access Manager security is compromised.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun Java System Access Manager 7.0 (for Solaris 8, 9 and 10) without patch 120954-01
x86 Platform
- Sun Java System Access Manager 7.0 (for Solaris 9 and 10) without patch 120955-01
LINUX Platform
- Sun Java System Access Manager 7.0 without patch 120956-01
Windows Platform
- Sun Java System Access Manager 7.0 without patch 124296-05
Notes:
- Sun Java System Access Manager versions previous to 7.0 are not affected by this issue.
- Sun Java System 7.0 is not supported on Solaris 8 for x86.
To determine if Sun Java System Access Manager is installed on a system, the following command can be run:
% pkginfo -l SUNWamsvc
PKGINST: SUNWamsvc
NAME: Sun Java System Access Manager Services
CATEGORY: application
ARCH: all
VERSION: 7.0,REV=05.08.10.09.17
To determine the version of Sun Java System Access Manager on a system, the "amadmin" command can be run from the directory in which Access Manager was installed, as in the following example:
# <access-manager-install-dir>/bin/amadmin --version
Sun Java System Access Manager 7 2005Q4
Symptoms
Sun Java System Access Manager may not function properly and/or product configuration and user data may be stolen or compromised.
Workaround
There is no workaround to this issue. Please see the Resolution section below.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun Java System Access Manager 7.0 (for Solaris 8, 9 and 10) with patch 120954-01 or later
x86 Platform
- Sun Java System Access Manager 7.0 (for Solaris 9 and 10) with patch 120955-01 or later
LINUX Platform
- Sun Java System Access Manager 7.0 with patch 120956-01 or later
Windows Platform
- Sun Java System Access Manager 7.0 with patch 124296-05 or later
Modification HistoryDate: 23-MAR-2007
- Updated Contributing Factors and Resolution sections
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
