Category
Security
Release Phase
Resolved
ProductSun Java System Application Server Standard Edition 7 2004Q2
Sun ONE Application Server 7, Standard Edition
Sun Java System Application Server Enterprise Edition 8.1 2005Q1
Bug Id
6210327
Date of Resolved Release05-DEC-2005
Impact
A security vulnerability exists in the Proxy Plug-in for certain Sun ONE and Java System Application Server products when the plug-in is used with a supported web server, such as Sun Java System Web Server, Apache Web Server or Microsoft Internet Information Server (IIS). This vulnerability may allow a "Man-in-the-Middle" condition to be exploited and possibly compromise data privacy between the client and the server.
Note: Though not impossible, it will be difficult to carry out this exploit from outside the firewall in front of the web server.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun ONE Application Server 7
- Sun Java System Application Server 7 2004Q2
- Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-03 or (SVR4) patch 119166-11
x86 Platform
- Sun ONE Application Server 7
- Sun Java System Application Server 7 2004Q2
- Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119170-03 or (SVR4) patch 119167-11
LINUX Platform
- Sun ONE Application Server 7
- Sun Java System Application Server 7
- Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119171-04
- Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with RHEL2.1/RHEL3.0 (Pkg_patch) 119168-12 or later
Windows Platform
- Sun ONE Application Server 7
- Sun Java System Application Server 7
Note: The "Platform Editions" of above Application Server versions are not affected by this issue.
To determine the version of Sun Java System Application server, the following command can be run:
$ <AS_INSTALL>/bin/asadmin version --verbose
Unable to communicate with admin server, getting version locally.
Version = Sun Java System Application Server Enterprise Edition 8.1
(build b43-fcs)
Command version executed successfully.
(Where <AS_INSTALL> is the installation directory of the Application Server)
Symptoms
There are no reliable symptoms that would indicate the described issue has occurred.
Workaround
There is no workaround for this issue. Please see the Resolution section below.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun ONE Application Server 7 Update 7 or later
- Sun Java System Application Server 7 2004Q2 Update 3 or later
- Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119169-03 or later
x86 Platform
- Sun ONE Application Server 7 Update 7 or later
- Sun Java System Application Server 7 2004Q2 Update 3 or later
- Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119170-03 or later
- Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (SVR4) patch 119167-11 or later
Linux Platform
- Sun ONE Application Server 7 Update 7 or later
- Sun Java System Application Server 7 2004Q2 Update 3 or later
- Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119171-04 or later
- Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with RHEL2.1/RHEL3.0 (Pkg_patch) 119168-12 or later
Windows Platform
- Sun ONE Application Server 7 Update 7 or later
- Sun Java System Application Server 7 2004Q2 Update 3 or later
References
119166-11
119167-11
119169-03
119170-03
119171-04
119168-12
AttachmentsThis solution has no attachment