Note: This is an archival copy of Security Sun Alert 200229 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000180.1. |
Category Security Release Phase Resolved Sun Java System Application Server Platform Edition 8.1 2005Q1 Sun Java System Application Server Platform Edition 8.1 2005Q1 Update Release 1 Sun Java System Application Server Enterprise Edition 8.1 2005Q1 Bug Id 6246426 Date of Resolved Release 13-SEP-2005 Impact When a deployed web application created for the Sun Java System Application Server contains a "jar" file, contents of the jar file may be exposed. Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Linux Platform
Windows Platform
Notes:
To determine the version of Sun Java System Application server, the following command can be run: $ <AS_INSTALL>/bin/asadmin version --verbose Unable to communicate with admin server, getting version locally. Version = Sun Java System Application Server Enterprise Edition 8.1 (build b43-fcs) Command version executed successfully. (Where <AS_INSTALL> is the installation directory of the Application Server) Symptoms There are no reliable symptoms that would indicate the described issue has occurred. Workaround To work around the described issue, use one of the two following methods: A. Turn off the directory listing feature for web apps, which is on by default: 1. Edit $<AS_DOMAIN>/domain1/config/default-web.xml 2. Set the listing value to false: <param-name>listings</param-name> <param-value>false</param-value> 3. Restart the domain Or, B. Delete the files that got unjarred from the jar files under $<AS_DOMAIN>/domain1/applications/j2ee-modules/<application-name>/ after deployment of the web application. Example: If the file "com/sun/appserv/web/taglibs/cache/CacheTag.class" was packaged as appserv-tags.jar (This appserv-tags.jar file was packaged in the war file webapps-caching.war) then after deployment of the war file webapps-caching.war, delete the directory "com" under $<AS_DOMAIN>/domain1/applications/j2ee-modules/webapps-caching. Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Linux Platform
Windows Platform
NOTE: The resolution outlined above will only affect applications deployed after the installation of the above patches or upgrades. To correct web applications that were deployed prior to installing the resolution, workaround "B" (in Relief/Workaround) needs to be applied to those applications. References119169-01119166-06 119170-01 119167-06 119171-01 119168-05 Attachments This solution has no attachment |
|