Note: This is an archival copy of Security Sun Alert 239566 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019431.1.
Sun N1 Service Provisioning System 5.2
Sun N1 Service Provisioning System 6.0
Date of Resolved Release
Security Vulnerability in Sun Java System Web Server 7.0 plugin for Sun N1 Service Provisioning System (SPS)
A Security vulnerability in the Sun Java System Web Server 7.0 plugin for Sun N1 Service Provisioning System may allow a user who has access to the N1SPS administrator console to gain unauthorized administrator access on the Sun Java System Web Server that is being maintained by N1SPS.
2. Contributing Factors
This issue can occur in the following releases (for both SPARC and x86 platforms):
Note: Previous versions of Service Provisioning System are not affected by this issue, as Web Server 7.0 plug-in was released first with N1SPS 5.2.
Only systems with Web Server 7.0 plug-in installed are vulnerable to this issue. To determine if a system has this plug-in installed, the following command can be run:
$ pkginfo SUNWspssws70
There are no predictable symptoms that would indicate the described issue has been exploited to gain access to the Web Server administrator password.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases (for both SPARC and x86 platforms):
This solution has no attachment