Note: This is an archival copy of Security Sun Alert 200333 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000244.1.
Date of Resolved Release
Buffer overflow vulnerabilities in the Sun Java System Web Proxy Server ...
Buffer overflow vulnerabilities in the Sun Java System Web Proxy Server may allow a remote unprivileged user to crash either the Web Proxy Server or the Admin Server (of the Web Proxy Server) or execute arbitrary code with the privileges of the respective server processes.
Note: The recommended UIDs for the Web Proxy Server and Admin Server are "nobody" and "root" respectively, at installation time. However, the administrator may have used different UIDs from the recommended ones during installation.
Sun acknowledges with thanks, Matt Moore of Pentest Limited, for bringing these issues to our attention.
2. Contributing Factors
These issues can occur in the following release on all platforms:
For supported architectures and OS versions see http://wwws.sun.com/software/download/products/4096ba15.html.
There are no reliable symptoms that would indicate the described issues have been exploited to execute arbitrary code. The Web Proxy Server or Admin Server may crash if the buffer overflow vulnerabilities have been exploited.
There is no workaround. Please see the "Resolution" section below.
These issues are addressed in the following release:
Sun Java System Web Server releases are available for download at http://wwws.sun.com/software/download/products/4149bc42.html.
Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Sun Java System Web Proxy Server 3.6 Service Pack 4
This solution has no attachment