Note: This is an archival copy of Security Sun Alert 238184 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019285.1.
Date of Resolved Release
Multiple Security Vulnerabilities in Sun Java ASP Server may lead to execution of Arbitrary Code or Unauthorized Access to Data
Multiple security vulnerabilities in the Sun Java ASP Server may allow a local or remote unprivileged user to execute arbitrary code with the privileges of the root user or with the privileges of the user running the Sun Java ASP Server. These issues may also allow a remote unprivileged user to gain unauthorized access to data, create arbitrary files on an affected system and bypass authentication mechanisms on the ASP application server.
Sun acknowledges with thanks, iDefense (http://www.idefense.com), for bringing these issues to our attention.
These issues are also described in the following documents:
iDefense Vulnerability Advisories:
and the following from CVE:
CVE-2008-2401 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2401
CVE-2008-2402 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2402
CVE-2008-2403 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2403
CVE-2008-2404 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2404
CVE-2008-2405 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2405
CVE-2008-2406 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2406
2. Contributing Factors
These issues can occur in the following releases for all platforms (Solaris 8, 9, and 10 on Solaris SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX):
To determine the revision of Sun Java ASP Server installed on a SPARC, x86, Linux, HP-UX or AIX system, the following command may be run:
$ cat /opt/casp/VERSIONOn the Windows platform, the version of Sun Java ASP Server installed may be determined by verifying the following key in the Windows system registry:
There are no predictable symptoms that would indicate the described issues have been exploited to execute arbitrary code with elevated privileges or to gain unauthorized access to data.
To work around the issues described in CVE-2008-2401, CVE-2008-2402, CVE-2008-2403 and CVE-2008-2406 on the SPARC, Linux, HP-UX and AIX platforms, disable the Admin Server on the Sun Java ASP Server. Sun Java ASP Server on the Windows platform is not affected by the issues described in these CVEs.
The Admin Server may be disabled as the 'root' user by using the following command:
# /opt/casp/admtool -eThere is no workaround to the issues described in CVE-2008-2404 and CVE-2008-2405. Please see the Resolution section below.
These issues are addressed in the following releases for all
platforms (Solaris 8, 9, and 10 on Solaris SPARC and x86 Platforms,
Linux, Windows, HP-UX, and AIX):
The Sun Java ASP Server 4.0.3 may be downloaded at the following URL for all platforms:
For more information
on Security Sun Alerts, see 1009886.1.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
notification may only be used for the purposes contemplated by these
09-Jun-2008: Updated Impact section to add CVE notifications
31-Jul-2008: Correct URLs for CVE notifications
Sun Java Standard Edition (Java SE)
This solution has no attachment