Note: This is an archival copy of Security Sun Alert 200624 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000486.1.
Sun Java System Access Manager 7 2005Q4
Date of Resolved Release
A local user logged in as "root" on a system with Sun Java System Access Manager may be able to use the "amadmin" CLI tool to administer the Access Manager installation with the privileges of the top-level administrator (regardless of the credentials originally used to login to the Access Manager server). Access Manager security is compromised.
This issue can occur in the following releases:
To determine if Sun Java System Access Manager is installed on a system, the following command can be run:
% pkginfo -l SUNWamsvc PKGINST: SUNWamsvc NAME: Sun Java System Access Manager Services CATEGORY: application ARCH: all VERSION: 7.0,REV=05.08.10.09.17
To determine the version of Sun Java System Access Manager on a system, the "amadmin" command can be run from the directory in which Access Manager was installed, as in the following example:
# <access-manager-install-dir>/bin/amadmin --version Sun Java System Access Manager 7 2005Q4
Sun Java System Access Manager may not function properly and/or product configuration and user data may be stolen or compromised.
There is no workaround to this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
This solution has no attachment