Note: This is an archival copy of Security Sun Alert 201545 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001152.1.
Article ID : 1001152.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-05-30
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Sun Java System Web Server May Allow Unauthorized Access to Host Data With Certain URLs

Category
Security

Release Phase
Resolved

Product
Sun Java System Web Server 6.0 Service Pack 10
Sun Java System Web Server 6.1
Sun Java System Web Server 6.0 Service Pack 8

Bug Id
6429293

Date of Resolved Release
15-MAR-2007

Impact

A security vulnerability in the Sun Java System Web Server may allow a local or remote user to gain unauthorized access to data stored on the host running the Sun Java System Web Server under certain conditions.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 116648-19

x86 Platform

  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 116649-19

Linux Platform

  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 118202-11

AIX Platform

  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7

HP-UX Platform

  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 121510-03

Windows Platform

  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 121524-03

Note: Sun Java System Web Server 7.0 is not affected by this issue.

To determine the version of Sun Java System Web Server on a system, the following command can be run:

    $ <WS-install>/https-<host>/start -version

 


Symptoms

There are no reliable symptoms that would indicate the described issue has occurred.


Workaround

There is no workaround.  Please see Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 116648-19 or later

x86 Platform

  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 116649-19 or later

Linux Platform

  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 118202-11 or later

AIX Platform

  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later

HP-UX Platform

  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 121510-03 or later

Windows Platform

  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 121524-03 or later

Sun Java System Web Server 6.0 Service Pack 11 is available at:

Sun Java System Web Server 6.1 Service Pack 7 is available at:



References

116648-19
116649-19
118202-11
121510-03
121524-03




Attachments
This solution has no attachment