Cross Site Scripting Vulnerability in Sun ONE and Sun Java System Applications |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Sun Java System Application Server Standard Edition 7 2004Q2
Sun ONE Application Server 7, Standard Edition
Sun Java System Web Server 6.1 Service Pack 4
Sun ONE Web Server 6.0 Service Pack 9
Sun Java System Application Server Enterprise Edition 7 2004Q2
Sun ONE Application Server 7, Platform Edition
|
| Bug Id : | 6239342, 6240424, 6240422
|
| Date of Resolved Release : | 18-MAY-2006
|
A Cross Site Scripting (XSS) vulnerability in various releases of the Sun Java System Web Server and Sun Java System Application Server may allow an unprivileged local or remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.
Sun acknowledges with thanks, CERT and JPCERT/CC for bringing this issue to our attention.
This issue is described in JPCERT/CC Vulnerability JVN#03D5EAA8 at http://jvn.jp/jp/JVN%2303D5EAA8/index.html
Sun also acknowledges with thanks, Little eArth Corporation Co., Ltd., for discovering and reporting this issue.
Contributing Factors
This issue can occur in the following releases:
- Sun ONE Web Server 6.0 Service Pack 9 and earlier
- Sun Java System Web Server 6.1 Service Pack 4 and earlier
- Sun ONE Application Server 7 Platform Edition Update 6 and earlier
- Sun ONE Application Server 7 Standard Edition Update 6 and earlier
- Sun Java System Application Server 7 2004Q2 Standard Edition Update 2 and earlier
- Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 2 and earlier
To determine the version of Sun Java System Application Server on a system, the following command can be run:
$ <AS_INSTALL>/bin/asadmin version --verbose
Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129)
(Where <AS_INSTALL> is the installation directory of the Application Server)
To determine the version of Sun ONE Application Server on a system, the following command can be run:
$ <WS-install>/https-<host>/start -version
where <WS-install> is top installation directory of Web Server and <host> should be the actual host name on which the Web Server is installed.
Symptoms
There are no predictable symptoms that would indicate the described issue has occurred.
Workaround
There is no workaround to this issue. Please see the Resolution section below.
Resolution
This issue is addressed in the following releases:
- Sun ONE Web Server 6.0 Service Pack 10 or later at
http://www.sun.com/download/products.xml?id=43a84f89
- Sun Java System Web Server 6.1 Service Pack 5 or later at
http://www.sun.com/download/products.xml?id=434aec1d
(International version at http://www.sun.com/download/products.xml?id=43c43041)
- Sun ONE Application Server 7 Platform Edition Update 7 or later at
http://www.sun.com/download/products.xml?id=42ae3178
- Sun ONE Application Server 7 Standard Edition Update 7 or later at
http://www.sun.com/download/products.xml?id=42ae317c
- Sun Java System Application Server 7 2004Q2 Standard Edition Update 3 or later at
http://www.sun.com/download/products.xml?id=427fe06d
- Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 3 or later at
http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=8&PartDetailId=SJAS72004Q2U3-EE-OTH-G-ES
Modification HistoryDate: 17-JUL-2006
17-Jul-2006:
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
