Note: This is an archival copy of Security Sun Alert 201173 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000887.1.
Date of Resolved Release
A security vulnerability in Sun Java System Portal Server Software 6.2 may allow a user to gain Calendar Server administrator credentials if the user changes the display options to select a non-default view. With these credentials, a user's session has unrestricted access to the calendar data and hence manipulation of that data. Such manipulation could include, but is not limited to: the deletion, creation, and modification of users, user information, calendar entries, and historical data.
This issue can occur in the following releases:
The described issue only occurs if the following conditions are true:
Note: This issue only affects the calendar component. The calendar configuration information is not affected.
There are no reliable symptoms that would indicate the described issue has been exploited to gain access to calendar data.
To work around the described issue, do not allow end users the ability to edit the calendar channels "calendar" or "view" display profile properties when Admin Proxy Authentication is enabled.
For additional information on Administrator Proxy Authentication, see http://docs.sun.com/source/816-6748-10/comm_config.html#wp34042.
This issue is addressed in the following releases:
Sun Java System Portal Server 6.2
This solution has no attachment