Security Vulnerability May Allow a Local Unprivileged User to Partially Read Arbitrary Files |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | iPlanet Messaging Server 5.2 Patch 1
Sun Java System Messaging Server 6.0
|
| Bug Id : | 6441337
|
| Date of Resolved Release : | 19-OCT-2006
|
A security vulnerability in the iPlanet Messaging Server and Sun Java System Messaging Server may allow a local unprivileged user to be able to read some data from any file on the system.
This issue is also described in CVE-2006-3159: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3159
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- iPlanet Messaging Server 5.2 (for Solaris 8 and 9) without patch 5.2hf2.14
- Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 8, 9, and 10) without patch 118207-57
x86 Platform
- Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 9 and 10) without patch 118208-57
Linux Platform
- Sun Java Messaging Server 6.0, 6.1, and 6.2 (for RHEL 2.1 and 3.0) without patch 118209-57
Note: A valid local account is required on the server running the iPlanet or Sun Java System Messaging Server.
To determine the version of iPlanet Messaging Server on a system, the following command can be run:
% cat /etc/msgregistry.inf
A list of instances and installs will displayed (if any) if this file exists.
To determine the version of Sun Java Messaging Server on a system, the following command can be run:
% /opt/SUNWmsgsr/sbin/imsimta version
Symptoms
There are no predictable symptoms that would indicate the described vulnerability has been exploited.
Workaround
To work around the described issue, restrict shell account access on the Messaging Server to trusted or "root" users only to effectively limit the potential of any data being revealed.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- iPlanet Messaging Server 5.2 (for Solaris 8 and 9) with patch 5.2hf2.14 or later
- Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 8, 9, and 10) with patch 118207-57 or later
x86 Platform
- Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 9 and 10) with patch 118208-57 or later
Linux Platform
- Sun Java Messaging Server 6.0, 6.1, and 6.2 (for RHEL 2.1 and 3.0) without patch 118209-57
Modification HistoryDate: 13-JUL-2006
13-Jul-2006:
Date: 08-SEP-2006
08-Sep-2006:
- Updated Contributing Factors, Relief/Workaround, and Resolution sections
Date: 14-SEP-2006
14-Sep-2006:
- Updated Relief/Workaround section
Date: 19-OCT-2006
19-Oct-2006:
- Updated Contributing Factors and Resolution sections
- State: Resolved
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
