Note: This is an archival copy of Security Sun Alert 200558 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000425.1.
Article ID : 1000425.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-09-08
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Multiple Security Vulnerabilities in the Sun Java System Identity Manager May Allow HTML Injection, Cross-Site Scripting Exploits or Unauthorized Redirection

Category
Security

Release Phase
Resolved

Product
Sun Java System Identity Manager 7.0
Sun Java System Identity Manager 6.0
Sun Java System Identity Manager 7.1

Bug Id
N/A

Date of Preliminary Release
09-JAN-2008

Date of Resolved Release
14-Jan-2008

Multiple Security Vulnerabilities in the Sun Java System Identity Manager May Allow HTML Injection, Cross-Site Scripting Exploits or Unauthorized Redirection (see details below)

1. Impact

Sun Java System Identity Manager is affected by multiple security vulnerabilties with varying impacts.

Four Cross-site Scripting (XSS) vulnerabilities may allow local or remote unprivileged users the ability to execute unauthorized scripting code in a user's browser when that user clicks a link to Sun Java System Identity Manager. In addition, a further vulnerability may allow a local or remote unprivileged user to inject unauthorized HTML code into a user's browser when that user clicks a link to Sun Java System Identity Manager. Two additional vulnerabilities may allow a local or remote unprivileged user to redirect the browser to unintended remote sites or to inject frames containing data from unintended sites.

Sun would like to acknowledge with thanks, Adrian Pastor and Jan Fry of ProCheckUp Ltd. for bringing 6 of these issues to our attention.

2. Contributing Factors

These issues can occur in the following releases (for all supported platforms):

  • Sun Java System Identity Manager 6.0 without patch 136848-02
  • Sun Java System Identity Manager 6.0 SP1 without patch 136849-02
  • Sun Java System Identity Manager 6.0 SP2 without patch 136850-02
  • Sun Java System Identity Manager 6.0 SP3 without patch 136851-02
  • Sun Java System Identity Manager 7.0 without patch 136852-02
  • Sun Java System Identity Manager 7.1 without patch 136853-02

To determine the version of Sun Java System Identity Manager installed on a system, log in to the administrator console using a browser and hover the mouse pointer over the "Help" tab in the upper right portion of the masthead. The current version will be displayed similar to the following:

Version Sun Java System Identity Manager 7.0 (20070523)

3. Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.

4. Workaround

There is no workaround for these issues. Please see the Resolution section below.

5. Resolution

These issues are addressed in the following releases (for all supported platforms):

  • Sun Java System Identity Manager 6.0 with patch 136848-02 or later
  • Sun Java System Identity Manager 6.0 SP1 with patch 136849-02 or later
  • Sun Java System Identity Manager 6.0 SP2 with patch 136850-02 or later
  • Sun Java System Identity Manager 6.0 SP3 with patch 136851-02 or later
  • Sun Java System Identity Manager 7.0 with patch 136852-02 or later
  • Sun Java System Identity Manager 7.1 with patch 136853-02 or later

For more information on Security Sun Alerts, see Sun 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.


Modification History
14-Jan-2008: Updated Contributing Factors and Resolution sections, State: Resolved
16-Jan-2008: Updated Contributing Factors and Resolution sections
09-Sep-2008: No content updated, change status to Resolved from Preliminary, issue was Resolved 14-Jan-2008


References
 136848-02

 136849-02

 136850-02

 136851-02

 136852-02

 136853-02



                                    



Attachments
This solution has no attachment