Note: This is an archival copy of Security Sun Alert 264248 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020755.1.
Java Enterprise System
Date of Resolved Release
Security Vulnerability in the Java Enterprise System Simple Authentication and Security Layer (SASL) library sasl_encode64 routine:
A buffer overflow security vulnerability in the Simple Authentication and Security Layer (SASL) library bundled with the Java Enterprise System (JES) may allow local or remote unprivileged users to crash applications which use the sasl_encode64 SASL library function.
None of the Sun Java Enterprise System (JES) products which use SASL are impacted by this issue however third-party applications that have a dynamic dependency on the SASL library bundled with JES may be affected.
This vulnerability is also described in the following documents:
CERT VU#238019 at:
This issue can occur in the following releases:
$ /usr/sbin/swlist 141940\*Windows Platform:
Note 2: This issue only occurs on systems that have the SUNWsasl package installed. To determine if the package SUNWsasl is installed on a system, one of the following commands can be used:
$ /usr/bin/pkginfo -l SUNWsaslLinux Platform:
$ /bin/rpm -q sun-saslNote: Linux "sun-sasl" packages 2.19-5 and earlier are vulnerable to this issue. HP-UX Platform:
$ /usr/sbin/swlist sun-saslWindows Platform:
Java Enterprise System Simple Authentication and Security Layer (SASL) can be installed on the Windows Platform only via an installation of the Sun Java Enterprise System 5 or higher.
To determine if Sun Java Enterprise System is installed, go to "Add or Remove Programs" from the "Control Panel" and check if "Sun Java(TM) Enterprise System 5" is listed as being currently installed.
To determine the list of JES patches installed on the system, the following command can be used:
<JES installation directory>\utils\patch\ListJavaESPatches.exe3. Symptoms
If the described issue occurs, the application that links to the Java Enterprise System Simple Authentication and Security Layer (SASL) library may crash, potentially leaving a core file depending on the system configuration.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment