Note: This is an archival copy of Security Sun Alert 200062 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000047.1.
Article ID : 1000047.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-03
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Sun Java System Application Server and Sun Java System Web Server May Allow a Remote Unprivileged User to Read Certain Files

Category
Security

Release Phase
Resolved

Product
Sun ONE Application Server 7, Standard Edition
Sun Java System Web Server 6.1
Sun Java System Web Server 6.0 Service Pack 8
Sun Java System Application Server Enterprise Edition 7 2004Q2
Sun Java System Application Server Enterprise Edition 8.1 2005Q1
Sun ONE Application Server 7, Platform Edition

Bug Id
6302377, 6284124, 6308777

Date of Resolved Release
27-JUL-2006

Impact

A security vulnerability in Sun Java System Application Server (SJSAS) and Sun Java System Web Server (SJSWS) may allow a remote unprivileged user to read files outside of the configured document root directory of the system upon which SJSAS or SJSWS is running.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun ONE Application Server 7 without Update 8
  • Sun Java System Application Server 7 2004 Q2 without Update 5
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-02 or (SVR4) patch 119166-09
  • Sun Java System Web Server 6.0 without Service Pack 10
  • Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
  • Sun Java System Web Server 6.1 2005 Q1 without patch 116648-18

x86 Platform

  • Sun ONE Application Server 7 without Update 8
  • Sun Java System Application Server 7 2004 Q2 without Update 5
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119170-02 or (SVR4) patch 119167-09
  • Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
  • Sun Java System Web Server 6.1 2005 Q1 without patch 116649-18

Linux Platform

  • Sun ONE Application Server 7 without Update 8
  • Sun Java System Application Server 7 2004 Q2 without Update 5
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119171-02 or (SVR4) patch 119168-09
  • Sun Java System Web Server 6.0 without Service Pack 10
  • Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
  • Sun Java System Web Server 6.1 2005 Q1 without patch 118202-10

AIX Platform

  • Sun Java System Web Server 6.0 without Service Pack 10
  • Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6

HP-UX Platform

  • Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (native) patch 121514-01
  • Sun Java System Web Server 6.0 without Service Pack 10
  • Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
  • Sun Java System Web Server 6.1 2005 Q1 without patch 121510-02

Windows Platform

  • Sun ONE Application Server 7 without Update 8
  • Sun Java System Application Server 7 2004 Q2 without Update 5
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119172-07 or (native) patch 121528-01
  • Sun Java System Web Server 6.0 without Service Pack 10
  • Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
  • Sun Java System Web Server 6.1 2005 Q1 without patch 121524-02

To determine the version of Sun Java System Application Server on a system, the following command can be run:

    $ <AS_INSTALL>/bin/asadmin version --verbose
Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129)

(Where <AS_INSTALL> is the installation directory of the Application Server).

To determine the version of Sun ONE Application Server on a system, the following command can be run:

    $ <WS-install>/https-<host>/start -version

(Where <WS-install> is top installation directory of Web Server and <host> should be the actual host name on which the Web Server is installed).


Symptoms

There are no reliable symptoms that would indicate the described issues have been exploited.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun ONE Application Server 7 with Update 8 or later
  • Sun Java System Application Server 7 2004 Q2 with Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-02 or (SVR4) patch 119166-09 or later
  • Sun Java System Web Server 6.0 with Service Pack 10 or later
  • Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
  • Sun Java System Web Server 6.1 2005 Q1 with patch 116648-18 or later

x86 Platform

  • Sun ONE Application Server 7 with Update 8 or later
  • Sun Java System Application Server 7 2004 Q2 with Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-02 or (SVR4) patch 119167-09 or later
  • Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
  • Sun Java System Web Server 6.1 2005 Q1 with patch 116649-18 or later

Linux Platform

  • Sun ONE Application Server 7 with Update 8 or later
  • Sun Java System Application Server 7 2004 Q2 with Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-02 or (SVR4) patch 119168-09 or later
  • Sun Java System Web Server 6.0 with Service Pack 10 or later
  • Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
  • Sun Java System Web Server 6.1 2005 Q1 with patch 118202-10 or later

AIX Platform

  • Sun Java System Web Server 6.0 with Service Pack 10 or later
  • Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later

HP-UX Platform

  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (native) patch 121514-01 or later
  • Sun Java System Web Server 6.0 with Service Pack 10 or later
  • Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
  • Sun Java System Web Server 6.1 2005 Q1 with patch 121510-02 or later

Windows Platform

  • Sun ONE Application Server 7 with Update 8 or later
  • Sun Java System Application Server 7 2004 Q2 with Update 5 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file based) patch 119172-07 or (native) patch 121528-01 or later
  • Sun Java System Web Server 6.0 with Service Pack 10 or later
  • Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later
  • Sun Java System Web Server 6.1 2005 Q1 with patch 121524-02 or later

Product Updates:

Sun ONE Application Server 7 Update 8 can be found at: http://www.sun.com/download/products.xml?id=438cfb75

Sun Java System Application Server 7 2004 Q2 Update 5 can be found at: http://www.sun.com/download/products.xml?id=44529a75

Sun Java System Web Server 6.0 Service Pack 10 can be found at: http://www.sun.com/download/products.xml?id=43a84f89

Sun Java System Web Server 6.1 Service Pack 6 can be found at: http://www.sun.com/download/products.xml?id=44989742



Modification History
Date: 16-MAR-2007
  • Updated Contributing Factors and Resolution sections


References

119166-09
119167-09
119168-09
119169-02
119170-02
119171-02
119172-07
121514-01
121528-01
116648-18
116649-18
118202-10
121510-02
121524-02




Attachments
This solution has no attachment