Note: This is an archival copy of Security Sun Alert 261688 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020611.1.
OpenSSO Enterprise 8.0
Sun Java System Access Manager 7.1
Sun Java System Access Manager 7 2005Q4
Sun Java System Access Manager 6 2005Q1
Date of Resolved Release
A Security Vulnerability in OpenSSO Enterprise and Sun Java System Access Manager May Cause Denial of Service (DoS)
A security vulnerability in OpenSSO Enterprise 8.0 or Sun Java System Access Manager may allow a local or remote user to hang or cause memory corruption in the server process by sending specially crafted XML documents, resulting in a Denial of Service (DOS).
This issue is related to the vulnerabilities described in the following documents:
2. Contributing Factors
This issue can occur in the following releases:
% pkginfo -l SUNWamsvc || echo "Sun Java Access Manager not installed"To determine the version of Sun Java System Access Manager on other systems, the following command can be run:
$ <access-manager-install-dir>/bin/amadmin --version(where <access-manager-install-dir> is the installation directory of the Sun Java System Access Manager).
To determine the version of OpenSSO on other systems, the following command can be run
$ <tools-zip-root>/<deploy_uri>/bin/ssoadm --version(where <tools-zip-root> is the directory where the file ssoAdminTools.zip was originally uncompressed and <deploy_uri> is the name of the OpenSSO Enterprise deployment URI. For example: "opensso").
There are no predictable symptoms that would indicate the described issue has been exploited.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment