Category
Security
Release Phase
Resolved
Bug Id
6644879
ProductSun Java System Access Manager 7.1
Date of Workaround Release11-Jun-2008
Date of Resolved Release24-Dec-2008
In AM 7.1 and later patches, a user can get to AM login screen, ... (see below for details):
1. Impact
Under certain configurations, a security vulnerability in Sun Java
System Access Manager 7.1 may allow a remote unprivileged user to
gain unauthorized access to resources or to gain administrator
privileges without any authentication.
2. Contributing Factors
This issue can occur in the following releases:
- Sun Java System Access Manager 7.1 without patch 140504-02
SPARC Platform
- Sun Java System Access Manager 7.1 without patch 126356-02
x86 Platform
- Sun Java System Access Manager 7.1 without patch 126357-02
Linux Platform
- Sun Java System Access Manager 7.1 without patch 126358-02
Windows Platform
- Sun Java System Access Manager 7.1 without patch 126359-02
HP-UX Platform
- Sun Java System Access Manager 7.1
To determine the version of Access Manager on a Solaris system, the
following
command can be run:
% pkginfo -l SUNWamsvc
PKGINST: SUNWamsvc
NAME: Sun Java System Access Manager Services
CATEGORY: application
ARCH: all
VERSION: 7.1,REV=06.12.19.15.12
To determine the version of Sun Java System Access Manager on other
systems, the following command can be run:
# <access-manager-install-dir>/bin/amadmin --version
Sun Java System Access Manager 7.1
# <access-manager-install-dir>/bin/amadmin --version
Sun Java System Access Manager 2005Q4
Other versions of Sun Java System Access Manager are not
affected.
Note: Only Sun Java System Access Manager 7.1 installations that
are configured to use Sun Directory Server Enterprise Edition
(DSEE) 5.2 in any configuration or Sun Directory Server Enterprise
Edition (DSEE) 6 with a non-default configuration mode (that allows
binds without a password) as the backend are affected by this issue.
3. Symptoms
There are no predictable symptoms that would show that the described
vulnerability has been exploited to gain unauthenticated access to resources.
4. Workaround
Currently there is no workaround for this issue if AM 7.1 is
configured
to use DSEE 5.2 as the LDAP repository.
To workaround this issue for Access Manager configured to use DSEE 6,
DSEE 6 needs to be configured in the default DSEE 6 configuration which
is to "require a bind password". Access Manager login will display
"Authentication Failed." in this case thereby preventing this issue from being exploited.
This can be done by executing the 'dsconf' command on the DSEE 6 as
follows:
# ./dsconf set-server-prop -e require-bind-pwd-enabled:on
Enter "cn=Directory Manager" password:
To print the value of require-bind-pwd-enabled:
# ./dsconf get-server-prop -e require-bind-pwd-enabled
Enter "cn=Directory Manager" password:
require-bind-pwd-enabled : on
After you have set the "require-bind-pwd-enabled" option to "on," you
will be not be able to login to Access Manager with a blank password.
5. Resolution
This issue is addressed in the following releases:
- Sun Java System Access Manager 7.1 with patch 140504-02
SPARC Platform
- Sun Java System Access Manager 7.1 with patch 126356-02
x86 Platform
- Sun Java System Access Manager 7.1 with patch 126357-02
Linux Platform
- Sun Java System Access Manager 7.1 with patch 126358-02
Windows Platform
- Sun Java System Access Manager 7.1 with patch 126359-02
For more information on Security Sun Alerts, see
Modification History
24-Dec-2008: Updated Contributing Factors and Resolution sections. Resolved
References
126356-02
126357-02
126358-02
126359-02
140504-02
References
SUNPATCH:126356-02
SUNPATCH:126357-02
SUNPATCH:126358-02
SUNPATCH:126359-02
SUNPATCH:140504-02
AttachmentsThis solution has no attachment