Note: This is an archival copy of Security Sun Alert 201387 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001060.1.
Sun Java Web Console 2.2.3
Solaris 10 Operating System
Sun Java Web Console 2.2.5
Sun Java Web Console 2.2.4
Sun Java Web Console 2.2.2
Date of Resolved Release
A security vulnerability in the Sun Java Web Console may allow a local or remote unprivileged user to access privileged data or crash the Java Web Console service, leading to a Denial of Service (DoS) condition.
Sun acknowledges with thanks, Frank Dick of N.RUNS AG (http://www.nruns.com/) for bringing this issue to our attention.
For additional information regarding this issue, see the following:
N.RUNS AG security bulletin at http://www.nruns.com/security_advisory_sun_java_format_string.php
CVE-2007-1681 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1681
This issue can occur in the following releases:
To determine the version of Sun Java Web Console installed on the system, the following command can be run:
$ /usr/sbin/smcwebserver -V Version 2.2.2
There are no predictable symptoms that would indicate the described issue has been exploited.
To work around the described issue, configure the Sun Java Web Console logging service to turn off writing messages to syslog. This can be done by executing the following command as the root user:
# /usr/sbin/smreg add -p -c logging.default.level=off
This issue is addressed in the following releases:
Sun Java Web Console 2.2.6 can be downloaded at http://www.sun.com/download/products.xml?id=461d58be
This solution has no attachment