Note: This is an archival copy of Security Sun Alert 200420 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000304.1.
iPlanet Messaging Server 5.2 Patch 1
Sun Java System Messaging Server 6.0
Date of Resolved Release
A security vulnerability in the iPlanet Messaging Server and Sun Java System Messaging Server may allow a local unprivileged user to be able to read some data from any file on the system.
This issue is also described in CVE-2006-3159: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3159
This issue can occur in the following releases:
Note: A valid local account is required on the server running the iPlanet or Sun Java System Messaging Server.
To determine the version of iPlanet Messaging Server on a system, the following command can be run:
% cat /etc/msgregistry.inf
A list of instances and installs will displayed (if any) if this file exists.
To determine the version of Sun Java Messaging Server on a system, the following command can be run:
% /opt/SUNWmsgsr/sbin/imsimta version
There are no predictable symptoms that would indicate the described vulnerability has been exploited.
To work around the described issue, restrict shell account access on the Messaging Server to trusted or "root" users only to effectively limit the potential of any data being revealed.
This issue is addressed in the following releases:
This solution has no attachment