Note: This is an archival copy of Security Sun Alert 242026 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019602.1.
Sun Java System Access Manager 6 2005Q1
Sun Java System Access Manager 7 2005Q4
Sun Java System Access Manager 7.1
Date of Resolved Release
A Security Vulnerability in Sun Java System Access Manager May Allow a Remote Unprivileged User to Determine the Existence of "guessed" Usernames
A security vulnerability in Sun Java System Access Manager may allow a remote unprivileged user to determine the existence of "guessed" usernames.
Sun acknowledges with thanks, Marco Mella (http://www.aboutsecurity.net/) for bringing this issue to our attention.
2. Contributing Factors
This issue can occur in the following releases:
To determine if Sun Java System Access Manager is installed on a Solaris system, the following command can be run :
% pkginfo -l SUNWamsvcTo determine the version of Sun Java System Access Manager on other systems, the following command can be run (as "root" user):
# <access-manager-install-dir>/bin/amadmin --version(where <access-manager-install-dir> is the installation directory of the Sun Java System Access Manager).
There are no predictable symptoms that would indicate the described issue has been exploited.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment