Multiple Security Vulnerabilities in Sun Java ASP Server may lead to execution of Arbitrary Code or Unauthorized Access to Data

Category
Security

Release Phase
Resolved

Bug Id
6550891, 6556637

Date of Resolved Release
03-Jun-2008

Multiple Security Vulnerabilities in Sun Java ASP Server may lead to execution of Arbitrary Code or Unauthorized Access to Data

1. Impact

Multiple security vulnerabilities in the Sun Java ASP Server may allow a local or remote unprivileged user to execute arbitrary code with the privileges of the root user or with the privileges of the user running the Sun Java ASP Server. These issues may also allow a remote unprivileged user to gain unauthorized access to data, create arbitrary files on an affected system and bypass authentication mechanisms on the ASP application server.

Sun acknowledges with thanks, iDefense (http://www.idefense.com), for bringing these issues to our attention.

These issues are also described in the following documents:

iDefense Vulnerability Advisories:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=705
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=706
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=707
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=708
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=709
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=710
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=710

and the following from CVE:

CVE-2008-2401 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2401
CVE-2008-2402 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2402
CVE-2008-2403 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2403
CVE-2008-2404 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2404
CVE-2008-2405 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2405
CVE-2008-2406 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2406

2. Contributing Factors

These issues can occur in the following releases for all platforms (Solaris 8, 9, and 10 on Solaris SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX):

Sun Java ASP Server 4.0.2 or earlier

Note: Sun Java ASP Server on the Windows platform is not affected by the issues described in CVE-2008-2401, CVE-2008-2402, CVE-2008-2403 and CVE-2008-2406.

To determine the revision of Sun Java ASP Server installed on a SPARC, x86, Linux, HP-UX or AIX system, the following command may be run:

$ cat /opt/casp/VERSION
Sun Java System Active Server Pages Version: 4.0.2

On the Windows platform, the version of Sun Java ASP Server installed may be determined by verifying the following key in the Windows system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\ChiliSoft\ChiliAsp\Install] "CaspVersion"="4.0.3"

3. Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited to execute arbitrary code with elevated privileges or to gain unauthorized access to data.

4. Workaround

To work around the issues described in CVE-2008-2401, CVE-2008-2402, CVE-2008-2403 and CVE-2008-2406 on the SPARC, Linux, HP-UX and AIX platforms, disable the Admin Server on the Sun Java ASP Server. Sun Java ASP Server on the Windows platform is not affected by the issues described in these CVEs.

The Admin Server may be disabled as the 'root' user by using the following command:

# /opt/casp/admtool -e

There is no workaround to the issues described in CVE-2008-2404 and CVE-2008-2405. Please see the Resolution section below.

5. Resolution

These issues are addressed in the following releases for all platforms (Solaris 8, 9, and 10 on Solaris SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX):

Sun Java ASP Server 4.0.3

The Sun Java ASP Server 4.0.3 may be downloaded at the following URL for all platforms:

https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJASP-4.0.3-OTH-G-TP@CDS-CDS_SMI

For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History
09-Jun-2008: Updated Impact section to add CVE notifications
31-Jul-2008: Correct URLs for CVE notifications

Product
Sun Java Standard Edition (Java SE)

Attachments

This solution has no attachment