Note: This is an archival copy of Security Sun Alert 200433 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000315.1.
Sun Java System Application Server Standard Edition 7 2004Q2
Sun ONE Application Server 7, Standard Edition
Sun Java System Application Server Enterprise Edition 8.1 2005Q1
Date of Resolved Release
A security vulnerability exists in the Proxy Plug-in for certain Sun ONE and Java System Application Server products when the plug-in is used with a supported web server, such as Sun Java System Web Server, Apache Web Server or Microsoft Internet Information Server (IIS). This vulnerability may allow a "Man-in-the-Middle" condition to be exploited and possibly compromise data privacy between the client and the server.
Note: Though not impossible, it will be difficult to carry out this exploit from outside the firewall in front of the web server.
This issue can occur in the following releases:
Note: The "Platform Editions" of above Application Server versions are not affected by this issue.
To determine the version of Sun Java System Application server, the following command can be run:
$ <AS_INSTALL>/bin/asadmin version --verbose Unable to communicate with admin server, getting version locally. Version = Sun Java System Application Server Enterprise Edition 8.1 (build b43-fcs) Command version executed successfully.
(Where <AS_INSTALL> is the installation directory of the Application Server)
There are no reliable symptoms that would indicate the described issue has occurred.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
This solution has no attachment