A Vulnerability in Access Manager 7.1 may Allow Unauthorized Access to Resources |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | 6644879
|
| Product : | Sun Java System Access Manager 7.1
|
| Date of Workaround Release : | 11-Jun-2008
|
| Date of Resolved Release : | 24-Dec-2008
|
In AM 7.1 and later patches, a user can get to AM login screen, ... (see below for details):
1. Impact
Under certain configurations, a security vulnerability in Sun Java
System Access Manager 7.1 may allow a remote unprivileged user to
gain unauthorized access to resources or to gain administrator
privileges without any authentication.
2. Contributing Factors
This issue can occur in the following releases:
- Sun Java System Access Manager 7.1 without patch 140504-02
SPARC Platform
- Sun Java System Access Manager 7.1 without patch 126356-02
x86 Platform
- Sun Java System Access Manager 7.1 without patch 126357-02
Linux Platform
- Sun Java System Access Manager 7.1 without patch 126358-02
Windows Platform
- Sun Java System Access Manager 7.1 without patch 126359-02
HP-UX Platform
- Sun Java System Access Manager 7.1
To determine the version of Access Manager on a Solaris system, the
following
command can be run:
% pkginfo -l SUNWamsvc
PKGINST: SUNWamsvc
NAME: Sun Java System Access Manager Services
CATEGORY: application
ARCH: all
VERSION: 7.1,REV=06.12.19.15.12
To determine the version of Sun Java System Access Manager on other
systems, the following command can be run:
# <access-manager-install-dir>/bin/amadmin --version
Sun Java System Access Manager 7.1
# <access-manager-install-dir>/bin/amadmin --version
Sun Java System Access Manager 2005Q4
Other versions of Sun Java System Access Manager are not
affected.
Note: Only Sun Java System Access Manager 7.1 installations that
are configured to use Sun Directory Server Enterprise Edition
(DSEE) 5.2 in any configuration or Sun Directory Server Enterprise
Edition (DSEE) 6 with a non-default configuration mode (that allows
binds without a password) as the backend are affected by this issue.
3. Symptoms
There are no predictable symptoms that would show that the described
vulnerability has been exploited to gain unauthenticated access to resources.
4. Workaround
Currently there is no workaround for this issue if AM 7.1 is
configured
to use DSEE 5.2 as the LDAP repository.
To workaround this issue for Access Manager configured to use DSEE 6,
DSEE 6 needs to be configured in the default DSEE 6 configuration which
is to "require a bind password". Access Manager login will display
"Authentication Failed." in this case thereby preventing this issue from being exploited.
This can be done by executing the 'dsconf' command on the DSEE 6 as
follows:
# ./dsconf set-server-prop -e require-bind-pwd-enabled:on
Enter "cn=Directory Manager" password:
To print the value of require-bind-pwd-enabled:
# ./dsconf get-server-prop -e require-bind-pwd-enabled
Enter "cn=Directory Manager" password:
require-bind-pwd-enabled : on
After you have set the "require-bind-pwd-enabled" option to "on," you
will be not be able to login to Access Manager with a blank password.
5. Resolution
This issue is addressed in the following releases:
- Sun Java System Access Manager 7.1 with patch 140504-02
SPARC Platform
- Sun Java System Access Manager 7.1 with patch 126356-02
x86 Platform
- Sun Java System Access Manager 7.1 with patch 126357-02
Linux Platform
- Sun Java System Access Manager 7.1 with patch 126358-02
Windows Platform
- Sun Java System Access Manager 7.1 with patch 126359-02
For more information on Security Sun Alerts, see Technical Instruction
ID 213557
http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.Modification History24-Dec-2008: Updated Contributing Factors and Resolution sections. Resolved
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
