Note: This is an archival copy of Security Sun Alert 200875 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000664.1.
Article ID : 1000664.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-12
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Sun Java System Directory Server Leaks Information About Existence of Attributes

Category
Security

Release Phase
Resolved

Product
Sun Java System Directory Server 5.2

Bug Id
6466900

Date of Resolved Release
13-JUN-2007

Impact

A security vulnerability in Sun ONE/Java System Directory Server may allow a local or remote unprivileged user to reveal existence of an entry's attributes, which are otherwise not visible to the user.


Contributing Factors

This issue can occur in the following releases for all platforms (Solaris 8, 9, and 10 on Solaris SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX):

Native Package Versions:

  • Sun ONE Directory Server 5.2
  • Sun Java System Directory Server 5 2003Q4 (5.2 Patch 1)
  • Sun Java System Directory Server 5 2004Q2 (5.2 Patch 2)
  • Sun Java System Directory Server 5 2005Q1 (5.2 Patch 3)
  • Sun Java System Directory Server 5 2005Q4 (5.2 Patch 4)
  • Sun Java Directory Server Enterprise Edition (DSEE) 6.0

PatchZIP (Compressed Archive) versions:

  • Sun ONE Directory Server 5.1
  • Sun One Directory Server 5.2
  • Sun Java System Directory Server 5.2 Patch 2
  • Sun Java System Directory Server 5.2 Patch 3
  • Sun Java System Directory Server 5.2 Patch 4
  • Sun Java Directory Server Enterprise Edition (DSEE) 6.0

To determine the version of Directory Server running on a system, the following command can be used:

    $ cd <installation directory>/bin/slapd/server[/64]
    $ ./ns-slapd -V -D <instance-directory>

 


Symptoms

There are no predictable symptoms that would indicate the described issue has occurred.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases for all platforms (Solaris 8, 9, and 10 on Solaris SPARC and Solaris x86 Platforms, Linux, Windows, HP-UX, and AIX):

Sun Java System Directory Server 5, 5.2 Patch 5, as delivered in the following:

Native Package Versions:

  • Solaris SPARC: 115614-27
  • Solaris x86: 115615-27
  • Linux: 118080-12
  • HP-UX: 121393-02
  • Windows: 121392-03

PatchZIP (Compressed Archive) versions:

  • Solaris SPARC: 117665-04
  • Solaris x86: 117666-04
  • Linux: 117668-04
  • Windows: 117667-04
  • HP-UX: 117669-04
  • AIX: 117670-04

Sun Java System Directory Server Enterprise Edition 6.1, as delivered in the following:

Native Package Versions:

  • Solaris SPARC: 125276-02
  • Solaris 9 x86: 125277-02
  • Solaris 10 x86/x64: 125278-02
  • Linux: 125309-02
  • HP-UX: 125310-02

PatchZIP (Compressed Archive) Versions:

  • Solaris SPARC: 126748-01
  • Solaris 9 x86: 126749-01
  • Solaris 10 x86/x64: 126750-01
  • Linux: 126751-01
  • Windows: 126753-01
  • HP-UX: 126752-01

Note 1: Sun Java System Directory Server 5.1 is also affected by this issue. In order to resolve this issue, users should upgrade to Sun Java System Directory Server 5.2 and apply the resolution listed in this section.

Note 2: Sun Java System Directory Server 6.0 must be upgraded to 6.1 using one of the above listed patches to resolve this issue.



References

121393-02
118080-12
115614-27
115615-27
117667-04
117668-04
117669-04
117670-04
121392-03
117665-04
117666-04
125276-02
125277-02
125278-02
125309-02
125310-02
126748-01
126749-01
126750-01
126751-01
126753-01
126752-01




Attachments
This solution has no attachment