Note: This is an archival copy of Security Sun Alert 201538 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001147.1.
Sun Java System Access Manager 6 2005Q1
Sun Java System Access Manager 7.1
Sun Java System Identity Server 6.1
Sun Java System Identity Server 6.2
Sun Java System Access Manager 7 2005Q4
Date of Resolved Release
Sun Java System Access Manager Does Not Securely Process XSLT Stylesheets contained in XML Signatures
The Sun Java System Access Manager may not securely process XSLT stylesheets which are contained inside XSLT Transforms in XML Signatures.
A remote user who is able to create such an XML Signature which is viewed locally with Access Manager may be able to execute arbitrary code with the privileges of the Access Manager application. Access Manager is run by a web container application, such as the Sun Java System Application Server, and thus the privileges of Access Manager are the same as the configured web container application.
Sun acknowledges with thanks, Brad Hill of iSEC Partners for bringing this issue to our attention.
2. Contributing Factors
This issue can occur in the following releases:
Note: With respect to Access Manager functionality, this issue only affects verification of XML signing, so if a user is not using XML signing in Access Manager, there is no impact.
To determine if XML signing is enabled for Access Manager, do the following:
If any of the three check boxes labeled "Sign SAML Request", "Sign SAML Response" or "Sign SAML Assertion" is checked, the XML signing functionality is in use.
To determine the version of Access Manager on a Solaris system, the following command can be run:
% pkginfo -l SUNWamsvc PKGINST: SUNWamsvc NAME: Sun Java System Access Manager Services CATEGORY: application ARCH: all VERSION: 7.0,REV=05.08.10.09.17
To determine the version of Sun Java System Access Manager on other systems, the following command can be run (as "root" user):
# <access-manager-install-dir>/bin/amadmin --version Sun Java System Access Manager 7 2005Q4
There are no predictable symptoms that would indicate the described issue has been exploited.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in following releases: SPARC Platform: x86 Platform: Linux: Windows:
This issue is addressed in following releases:
For more information on Security Sun Alerts, see 1009886.1.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
notification may only be used for the purposes contemplated by these
10-Nov-2008: Updated Contributing Factors and Resolution sections for HP-UX
23-Dec-2008: Add WAR platform and patches to Contributing Factors and Resolution
This solution has no attachment