Note: This is an archival copy of Security Sun Alert 200002 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000001.1.
Article ID : 1000001.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-08-01
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Cross-Site Scripting Vulnerability in Sun ONE and Sun Java System Application Server

Category
Security

Release Phase
Resolved

Product
Sun Java System Application Server Standard Edition 7 2004Q2
Sun ONE Application Server 7, Standard Edition
Sun Java System Application Server Enterprise Edition 8.1 2005Q1

Bug Id
6387790

Date of Resolved Release
23-JUN-2006

Impact

A Cross Site Scripting (CSS or XSS) vulnerability in the Sun ONE and Sun Java System Application Server may allow an unprivileged remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun ONE Application Server 7 without Update 9
  • Sun Java System Application Server 7 2004Q2 without Update 5
  • Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-08 or (SVR4) patch 119166-16

x86 Platform

  • Sun ONE Application Server 7 without Update 9
  • Sun Java System Application Server 7 2004Q2 without Update 5
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119170-08 or (SVR4) patch 119167-16

Linux Platform

  • Sun ONE Application Server 7 without Update 9
  • Sun Java System Application Server 7 2004Q2 without Update 5
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119171-08 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-16

Windows Platform

  • Sun ONE Application Server 7 without Update 9
  • Sun Java System Application Server 7 2004Q2 without Update 5
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119172-08

Note: Previous update releases of Sun ONE Application Server 7 (prior to Update 9), Sun Java System Application Server 7.1 (prior to Update 5) and Sun Java System Applciation Server (Enterprise Edition) 8.1 are affected by this issue.

To determine the version of Sun Java System Application server on a system, the following command can be run:

    $ <AS_INSTALL>/bin/asadmin version --verbose
    Unable to communicate with admin server, getting version locally.
    Version = Sun Java System Application Server Enterprise Edition 8.1 (build b43-fcs)
    Command version executed successfully.

(Where <AS_INSTALL> is the installation directory of the Application Server).


Symptoms

There are no predictable symptoms that would indicate the described issue has occurred.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun ONE Application Server 7 Update 9 or later
  • Sun Java System Application Server 7 2004Q2 Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119169-08 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (SVR4) patch 119166-16 or later

x86 Platform

  • Sun ONE Application Server 7 Update 9 or later
  • Sun Java System Application Server 7 2004Q2 Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119170-08 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (SVR4) patch 119167-16 or later

Linux Platform

  • Sun ONE Application Server 7 Update 9 or later
  • Sun Java System Application Server 7 2004Q2 Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119171-08 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with RHEL2.1/RHEL3.0 (Pkg_patch) 119168-16 or later

Windows Platform

  • Sun ONE Application Server 7 Update 9 or later
  • Sun Java System Application Server 7 2004Q2 Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file based) patch 119172-08

Sun ONE Application Server 7 Update 9 and Sun Java System Application Server Update 5 can be downloaded at: http://www.sun.com/download/index.jsp?cat=Application%20%26%20Integration%20Services&tab=3



References

119166-16
119167-16
119171-08
119168-16
119169-08
119170-08




Attachments
This solution has no attachment