SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Sun Java System Identity Manager Vendors:   Sun
Sun Java System Identity Manager Bugs Let Local and Remote Users Gain Privileges
SecurityTracker Alert ID:  1021881
SecurityTracker URL:  http://securitytracker.com/id/1021881
CVE Reference:   CVE-2009-1074, CVE-2009-1075, CVE-2009-1076, CVE-2009-1077, CVE-2009-1078, CVE-2009-1079, CVE-2009-1080, CVE-2009-1081, CVE-2009-1082, CVE-2009-1083, CVE-2009-1084   (Links to External Site)
Updated:  Apr 1 2009
Original Entry Date:  Mar 20 2009
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.x, 8.x
Description:   Several vulnerabilities were reported in Sun Java System Identity Manager. A local or remote user can access or modify data, conduct cross-site scripting attacks, or gain privileges on the target system.

A remote user monitoring the network between a client and the target Identity Manager (IDM) server can obtain information from non-SSL connections.

A local or remote user can determine value usernames on the target system.

A local or remote user can modify a password on a target user account.

A local or remote authenticated user can perform restricted actions.

A remote user can conduct cross-site scripting attacks.

A remote authenticated user can conduct cross-site scripting and cross-site request forgery attacks.

A local or remote authenticated user can execute arbitrary commands on Linux/UNIX-based resource adapters.

A local or remote authenticated user can modify system configuration data.

A remote authenticated user with privileges on a Linux/UNIX-based resource that is configured with root access can gain additional privileges or to execute arbitrary code on the target IDM system.

Marco Mella, Alexandre Bezroutchko of Scanit, Dan Sinclair of Security Compass, and ProCheckUp Ltd reported these vulnerabilities.

Impact:   A remote user can obtain potentially sensitive information.

A local or remote user can determine valid usernames on the target system.

A remote authenticated user can execute arbitrary commands on the target system.

A local or remote user can modify a password on a target user account.

A local or remote authenticated user can perform restricted actions.

A remote user can conduct cross-site scripting attacks.

A remote authenticated user can conduct cross-site scripting and cross-site request forgery attacks.

A local or remote authenticated user can modify system configuration data.

Solution:   Sun has issued the following fixes.

* Sun Java System Identity Manager 7.0 with patch 140935-01
* Sun Java System Identity Manager 7.1 with patch 140936-01
* Sun Java System Identity Manager 7.1.1 with patch 137621-11
* Sun Java System Identity Manager 8.0 with patch 139010-06

The vendor's advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1

Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1 (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC