Security Vulnerability in the Sun Java Web Console May Allow Access to Privileged Data or Lead to Denial of Service |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Sun Java Web Console 2.2.3
Solaris 10 Operating System
Sun Java Web Console 2.2.5
Sun Java Web Console 2.2.4
Sun Java Web Console 2.2.2
|
| Bug Id : | 6505096
|
| Date of Resolved Release : | 17-APR-2007
|
A security vulnerability in the Sun Java Web Console may allow a local or remote unprivileged user to access privileged data or crash the Java Web Console service, leading to a Denial of Service (DoS) condition.
Sun acknowledges with thanks, Frank Dick of N.RUNS AG (http://www.nruns.com/) for bringing this issue to our attention.
For additional information regarding this issue, see the following:
N.RUNS AG security bulletin at http://www.nruns.com/security_advisory_sun_java_format_string.php
CVE-2007-1681 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1681
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun Java Web Console 2.2.2
- Sun Java Web Console 2.2.3
- Sun Java Web Console 2.2.4
- Sun Java Web Console 2.2.5
- Solaris 10 without patch 121211-02
x86 Platform
- Sun Java Web Console 2.2.2
- Sun Java Web Console 2.2.3
- Sun Java Web Console 2.2.4
- Sun Java Web Console 2.2.5
- Solaris 10 without patch 121212-02
Notes:
- Solaris 8 and 9 do not ship Sun Java Web Console and are not impacted by this issue.
- Solaris 10 ships Sun Java Web Console and hence is impacted by this issue.
- Solaris 10 11/06 and later releases ship with a version of Sun Java Web Console which is not impacted by this issue.
To determine the version of Sun Java Web Console installed on the system, the following command can be run:
$ /usr/sbin/smcwebserver -V
Version 2.2.2
Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited.
Workaround
To work around the described issue, configure the Sun Java Web Console logging service to turn off writing messages to syslog. This can be done by executing the following command as the root user:
# /usr/sbin/smreg add -p -c logging.default.level=off
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun Java Web Console 2.2.6 or later
- Solaris 10 with patch 121211-02 or later
x86 Platform
- Sun Java Web Console 2.2.6 or later
- Solaris 10 with patch 121212-02 or later
Sun Java Web Console 2.2.6 can be downloaded at http://www.sun.com/download/products.xml?id=461d58be
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
