A security vulnerability in Sun Java System Application Server (SJSAS) and Sun Java System Web Server (SJSWS) may allow a remote unprivileged user to read files outside of the configured document root directory of the system upon which SJSAS or SJSWS is running.

This issue can occur in the following releases:

SPARC Platform

• Sun ONE Application Server 7 without Update 8
• Sun Java System Application Server 7 2004 Q2 without Update 5
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-02 or (SVR4) patch 119166-09
• Sun Java System Web Server 6.0 without Service Pack 10
• Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
• Sun Java System Web Server 6.1 2005 Q1 without patch 116648-18

x86 Platform

• Sun ONE Application Server 7 without Update 8
• Sun Java System Application Server 7 2004 Q2 without Update 5
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119170-02 or (SVR4) patch 119167-09
• Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
• Sun Java System Web Server 6.1 2005 Q1 without patch 116649-18

Linux Platform

• Sun ONE Application Server 7 without Update 8
• Sun Java System Application Server 7 2004 Q2 without Update 5
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119171-02 or (SVR4) patch 119168-09
• Sun Java System Web Server 6.0 without Service Pack 10
• Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
• Sun Java System Web Server 6.1 2005 Q1 without patch 118202-10

AIX Platform

• Sun Java System Web Server 6.0 without Service Pack 10
• Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6

HP-UX Platform

• Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (native) patch 121514-01
• Sun Java System Web Server 6.0 without Service Pack 10
• Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
• Sun Java System Web Server 6.1 2005 Q1 without patch 121510-02

Windows Platform

• Sun ONE Application Server 7 without Update 8
• Sun Java System Application Server 7 2004 Q2 without Update 5
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119172-07 or (native) patch 121528-01
• Sun Java System Web Server 6.0 without Service Pack 10
• Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
• Sun Java System Web Server 6.1 2005 Q1 without patch 121524-02

To determine the version of Sun Java System Application Server on a system, the following command can be run:

    $ <AS_INSTALL>/bin/asadmin version --verbose
    Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129)

(Where <AS_INSTALL> is the installation directory of the Application Server).

To determine the version of Sun ONE Application Server on a system, the following command can be run:

    $ <WS-install>/https-<host>/start -version

(Where <WS-install> is top installation directory of Web Server and <host> should be the actual host name on which the Web Server is installed).

There are no reliable symptoms that would indicate the described issues have been exploited.

There is no workaround for this issue. Please see the Resolution section below.

This issue is addressed in the following releases:

SPARC Platform

• Sun ONE Application Server 7 with Update 8 or later
• Sun Java System Application Server 7 2004 Q2 with Update 5 or later
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-02 or (SVR4) patch 119166-09 or later
• Sun Java System Web Server 6.0 with Service Pack 10 or later
• Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
• Sun Java System Web Server 6.1 2005 Q1 with patch 116648-18 or later

x86 Platform

• Sun ONE Application Server 7 with Update 8 or later
• Sun Java System Application Server 7 2004 Q2 with Update 5 or later
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-02 or (SVR4) patch 119167-09 or later
• Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
• Sun Java System Web Server 6.1 2005 Q1 with patch 116649-18 or later

Linux Platform

• Sun ONE Application Server 7 with Update 8 or later
• Sun Java System Application Server 7 2004 Q2 with Update 5 or later
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-02 or (SVR4) patch 119168-09 or later
• Sun Java System Web Server 6.0 with Service Pack 10 or later
• Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
• Sun Java System Web Server 6.1 2005 Q1 with patch 118202-10 or later

AIX Platform

• Sun Java System Web Server 6.0 with Service Pack 10 or later
• Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later

HP-UX Platform

• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (native) patch 121514-01 or later
• Sun Java System Web Server 6.0 with Service Pack 10 or later
• Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
• Sun Java System Web Server 6.1 2005 Q1 with patch 121510-02 or later

Windows Platform

• Sun ONE Application Server 7 with Update 8 or later
• Sun Java System Application Server 7 2004 Q2 with Update 5 or later
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file based) patch 119172-07 or (native) patch 121528-01 or later
• Sun Java System Web Server 6.0 with Service Pack 10 or later
• Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
• Sun Java System Web Server 6.1 2005 Q1 with patch 121524-02 or later

Product Updates:

Sun ONE Application Server 7 Update 8 can be found at: http://www.sun.com/download/products.xml?id=438cfb75

Sun Java System Application Server 7 2004 Q2 Update 5 can be found at: http://www.sun.com/download/products.xml?id=44529a75

Sun Java System Web Server 6.0 Service Pack 10 can be found at: http://www.sun.com/download/products.xml?id=43a84f89

Sun Java System Web Server 6.1 Service Pack 6 can be found at: http://www.sun.com/download/products.xml?id=44989742

• Updated Contributing Factors and Resolution sections

This solution has no attachment