Note: This is an archival copy of Security Sun Alert 256668 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020348.1.
Sun Java System Access Manager 6 2005Q1
Sun Java System Access Manager 7.0
Sun Java System Access Manager 7.1
OpenSSO Enterprise 8.0
Date of Resolved Release
A Security Vulnerability in Sun Java System Access Manager May Disclose Confidential Information
A security vulnerability in Sun Java System Access Manager may disclose clear text passwords in debug files when the debug flag is enabled. This would allow a local unprivileged user to gain unauthorized access to user identities which are managed by Sun Java System Access Manager.
2. Contributing Factors
This issue can occur in the following releases:
com.iplanet.services.debug.level=messageThis property is not set to "message" by default.
To determine if Sun Java System Access Manager is installed, the following command can be run on a Solaris system :
% pkginfo -l SUNWamsvc || echo "Sun Java System Access Manager is not installed"To determine the version of Sun Java System Access Manager on other systems, the following command can be run
$ <access-manager-install-dir>/bin/amadmin --versionwhere <access-manager-install-dir> is the installation directory of the Sun Java System Access Manager.
There are no predictable symptoms that would indicate the described issue has been exploited.
To work around the described issue, the "com.iplanet.services.debug.level" property can be set to an alternate value such as "error" in the AMConfig.properties configuration file. For example:
This issue is addressed in the following releases:
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment