|
Note: This is an archival copy of Security Sun Alert 201387 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001060.1. |
Category Security Release Phase Resolved Sun Java Web Console 2.2.3 Solaris 10 Operating System Sun Java Web Console 2.2.5 Sun Java Web Console 2.2.4 Sun Java Web Console 2.2.2 Bug Id 6505096 Date of Resolved Release 17-APR-2007 Impact A security vulnerability in the Sun Java Web Console may allow a local or remote unprivileged user to access privileged data or crash the Java Web Console service, leading to a Denial of Service (DoS) condition. Sun acknowledges with thanks, Frank Dick of N.RUNS AG (http://www.nruns.com/) for bringing this issue to our attention. For additional information regarding this issue, see the following: N.RUNS AG security bulletin at http://www.nruns.com/security_advisory_sun_java_format_string.php CVE-2007-1681 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1681 Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Notes:
To determine the version of Sun Java Web Console installed on the system, the following command can be run: $ /usr/sbin/smcwebserver -V Version 2.2.2 Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. Workaround To work around the described issue, configure the Sun Java Web Console logging service to turn off writing messages to syslog. This can be done by executing the following command as the root user: # /usr/sbin/smreg add -p -c logging.default.level=off Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Sun Java Web Console 2.2.6 can be downloaded at http://www.sun.com/download/products.xml?id=461d58be References121211-02121212-02 Attachments This solution has no attachment | |||||||||||||||
|
|