Note: This is an archival copy of Security Sun Alert 201381 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001054.1.
Sun Java System Web Server 6.1
Date of Resolved Release
A security vulnerability in the Sun Java System Web Server may allow a local or remote user to gain authorized access to certain web server instances. When a secure web server instance is set up as a non-root instance through the admin server and that admin server is configured to run as root, this vulnerability may allow a user with a revoked client certificate to access the web server instance under certain conditions even if a valid Certificate Revocation List (CRL) file is installed for the instance.
This issue can occur in the following releases:
The following releases are not affected:
This issue only affects hosts which meet the following two conditions:
1) contain a Certificate Revocation List (CRL) which matches certain criteria
2) contain server instances which run as a user that differs from the user that the admin server is configured to run as
If both of these conditions are met, a directory with the following name will exist on the host and it will have permissions which do not grant access to the affected instance's user. A command such as the following can be used to determine the permissions of the directory:
$ ls -l <WS-install>/alias/https-<instance>-cert8.dir
Please consult the product documentation for information on determining which user the active instances are running as.
To determine the version of Sun Java System Web Server on a system, the following command can be run:
There are no reliable symptoms that would indicate the described issue has occurred.
After importing a CRL through Web Server Admin GUI on affected systems, the following directory will be created:
Manually change the permission/ownership of the cert8.dir directory and the files within it for this instance to allow the non-root instance owner to access them.
This issue is addressed in the following releases:
Sun Java System Web Server 6.1 Service Pack 7 is available at:
This solution has no attachment