Cross-site Scripting Vulnerability in Sun Java System Access Manager |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Sun Java System Access Manager 6 2005Q1
Sun Java System Access Manager 7 2005Q4
|
| Bug Id : | 6463730
|
| Date of Workaround Release : | 29-JAN-2007
|
| Date of Resolved Release : | 27-FEB-2007
|
A Cross Site Scripting (CSS or XSS) vulnerability in the Sun Java System Access Server may allow an unprivileged remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.
Additional information about cross-site scripting and web script vulnerabilities can be found at the following URLs:
http://www.cert.org/archive/pdf/cross_site_scripting.pdf
http://www.cert.org/tech_tips/malicious_code_FAQ.html
http://www.cert.org/advisories/CA-2000-02.html
Contributing Factors
These issues can occur in the following releases:
SPARC Platform
- Sun Java System Access Manager 7 2005Q4 (7.0) (for Solaris 8, 9 and 10) without patch 120954-04
- Sun Java System Access Manager 6 2005Q1 (6.3) (for Solaris 8, 9 and 10) without patch 119465-09
- Sun Java System Access Manager 6.2 (for Solaris 8 and 9) without patch 115766-13
- Sun Java System Access Manager 6.1 (for Solaris 8 and 9) without patch 117586-21
x86 Platform
- Sun Java System Access Manager 7 2005Q4 (7.0) (for Solaris 9 and 10) without patch 120955-04
- Sun Java System Access Manager 6 2005Q1 (6.3) (for Solaris 8, 9 and 10) without patch 119465-09
- Sun Java System Access Manager 6.2 (for Solaris 8 and 9) without patch 120091-13
Linux Platform
- Sun Java System Access Manager 7 2005Q4 (7.0) without patch 120956-04
- Sun Java System Access Manager 6 2005Q1 (6.3) without patch 119502-09
- Sun Java System Access Manager 6.2 without patch 119409-13
To determine if Sun Java System Access Manager is installed on a system, the following command can be run:
% pkginfo -l SUNWamsvc
PKGINST: SUNWamsvc
NAME: Sun Java System Access Manager Services
CATEGORY: application
ARCH: all
VERSION: 7.0,REV=05.08.10.09.17
To determine the version of Sun Java System Access Manager on a system, the following command can be run:
# <access-manager-install-dir>/bin/amadmin --version
Sun Java System Access Manager 7 2005Q4
Symptoms
There are no predictable symptoms that would indicate the described issue has occurred.
Workaround
There is no workaround for this issue. Please see the Resolution section below.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun Java System Access Manager 7 2005Q4 (7.0) (for Solaris 8, 9 and 10) with patch 120954-04 or later
- Sun Java System Access Manager 6 2005Q1 (6.3) (for Solaris 8, 9 and 10) with patch 119465-09 or later
- Sun Java System Access Manager 6.2 (for Solaris 8 and 9) with patch 115766-13 or later
- Sun Java System Access Manager 6.1 (for Solaris 8 and 9) with patch 117586-21 or later
x86 Platform
- Sun Java System Access Manager 7 2005Q4 (7.0) (for Solaris 9 and 10) with patch 120955-04 or later
- Sun Java System Access Manager 6 2005Q1 (6.3) (for Solaris 8, 9 and 10) with patch 119465-09 or later
- Sun Java System Access Manager 6.2 (for Solaris 8 and 9) with patch 120091-13 or later
Linux Platform
- Sun Java System Access Manager 7 2005Q4 (7.0) with patch 120956-04 or later
- Sun Java System Access Manager 6 2005Q1 (6.3) with patch 119502-09 or later
- Sun Java System Access Manager 6.2 with patch 119409-13 or later
Modification HistoryDate: 27-FEB-2007
27-Feb-2007:
- Updated Contributing Factors and Resolution sections
- State: Resolved
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
