Multiple Security Vulnerabilities in Sun Java ASP Server may lead to execution of Arbitrary Code or Unauthorized Access to Data |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | 6550891, 6556637
|
| Date of Resolved Release : | 03-Jun-2008
|
| Product : | Sun Java Standard Edition (Java SE)
|
Multiple Security Vulnerabilities in Sun Java ASP Server may lead to execution of Arbitrary Code or Unauthorized Access to Data
1. Impact
Multiple security vulnerabilities in the Sun Java ASP Server may allow
a local or remote unprivileged user to execute arbitrary code with the
privileges of the root user or with the privileges of the user running
the Sun Java ASP Server. These issues may also allow a remote
unprivileged user to gain unauthorized access to data, create arbitrary
files on an affected system and bypass authentication mechanisms on the
ASP application server.
Sun acknowledges with thanks, iDefense (
http://www.idefense.com), for
bringing these issues to our attention.
These issues are also described in the following documents:
iDefense Vulnerability Advisories:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=705
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=706
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=707
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=708
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=709
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=710
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=710
and the following from CVE:
2. Contributing Factors
These issues can occur in the following releases for all platforms
(Solaris 8, 9, and 10 on Solaris SPARC and x86 Platforms, Linux,
Windows, HP-UX, and AIX):
- Sun Java ASP Server 4.0.2 or earlier
Note: Sun Java ASP Server on
the Windows platform is not affected by the issues described in
CVE-2008-2401, CVE-2008-2402, CVE-2008-2403 and CVE-2008-2406.
To determine the revision of Sun Java ASP Server installed on a SPARC,
x86, Linux, HP-UX or AIX system, the following command may be run:
$ cat /opt/casp/VERSION
Sun Java System Active Server Pages Version: 4.0.2
On the Windows platform, the version of Sun Java ASP Server installed
may be determined by verifying the following key in the Windows system
registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\ChiliSoft\ChiliAsp\Install] "CaspVersion"="4.0.3"
3. Symptoms
There are no predictable symptoms that would indicate the described
issues have been exploited to execute arbitrary code with elevated
privileges or to gain unauthorized access to data.
4. Workaround
To work around the issues described in CVE-2008-2401, CVE-2008-2402,
CVE-2008-2403 and CVE-2008-2406 on the SPARC, Linux, HP-UX and AIX
platforms, disable the Admin Server on the Sun Java ASP Server. Sun
Java ASP Server on the Windows platform is not affected by the issues
described in these CVEs.
The Admin Server may be disabled as the 'root' user by using the
following command:
# /opt/casp/admtool -e
There is no workaround to the issues described in CVE-2008-2404 and
CVE-2008-2405. Please see the Resolution section below.
5. Resolution
These issues are addressed in the following releases for all
platforms (Solaris 8, 9, and 10 on Solaris SPARC and x86 Platforms,
Linux, Windows, HP-UX, and AIX):
- Sun Java ASP Server 4.0.3
The Sun Java ASP Server 4.0.3 may be downloaded at the following URL
for all platforms:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJASP-4.0.3-OTH-G-TP@CDS-CDS_SMI
For more information
on Security Sun Alerts, see Technical
Instruction
ID 213557.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems,
Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Modification History09-Jun-2008: Updated Impact section to add CVE notifications
31-Jul-2008: Correct URLs for CVE notifications
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
