Note: This is an archival copy of Security Sun Alert 235381 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019128.1.
Sun Java System Directory Server Enterprise Edition 6.0
Sun Java System Directory Server Enterprise Edition 6.1
Sun Java System Directory Server Enterprise Edition 6.2
Date of Resolved Release
Security Vulnerability in Sun Java System Directory Proxy Server May Grant Unauthorized Administrative Access
1. ImpactA security vulnerability in the Sun Java System Directory Proxy Server may allow a remote unprivileged user to gain unauthorized administrative access to the server. This is caused by the server incorrectly classifying a connection based on the "bind-dn" criteria, resulting in an incorrect policy being applied.
2. Contributing FactorsThis issue can occur in the following releases for all platforms (Solaris 8, 9, and 10 SPARC and x86 Platforms, Linux, Windows, and HP-UX):
To determine if the Directory Server running on a system is affected, the following command can be used:
$ dpadm -V
If the output contains the version string 6.0, 6.1 or 6.2, the system is affected by this issue.
3. SymptomsThere are no predictable symptoms that would indicate this issue has been exploited.
4. WorkaroundThere is no workaround for this issue. Please see the Resolution section below.
5. ResolutionThis issue is addressed in the following releases:
Native Package Versions:
For more information on the upgrade process please see the following:
Directory Server 6.3 Release Notes are available at:
and the Directory Server 6.3 Installation Guide is available at:
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
16-Jun-2008: Updated Resolution section to include Windows patch
This solution has no attachment