7.5 - SUN-103069

Executive Summary

Summary
Title	Sun Alert 103069 Installation of Sun Java System Access Manager 7.1 on Sun Java System Application Server 9.1 or 8.x May Compromise Application Server Security

Informations
Name	SUN-103069	First vendor Publication	2007-09-27
Vendor	Sun	Last vendor Modification	2009-09-10
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Sun Java System Access Manager 7.1

There are two vulnerabilities associated with this issue:

1. When Sun Java System Access Manager 7.1 is installed in a Sun Java System Application Server 9.1 container and the container is restarted, no authentication screen is displayed. Any application using container based authentication would no longer work correctly as any users would be granted access without authentication. This can lead to unprivileged non-administrative users performing administrative tasks. As an example, the Admin Console application (which is a pre-deployed system application on the Application Server used to Administer the Application Server) no longer prompts users for authentication when accessing this application. Thus anyone, whether they have administrative privileges or no privileges, could administer the Application Server.

2. When Sun Java System Access Manager 7.1 is installed in a Sun Java System Application Server 8.x container, the installation may be vulnerable to malicious code. If an application is deployed in such an environment, then a local or remote unprivileged user may be able to execute arbitrary code with the privileges of the deployed application.

State: Resolved

First released: 27-Sep-2007

Sun Alert Link:http://sunsolve.sun.com/search/document.do?assetkey=1-66-200839-1

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_103069_installation_of

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-287	Improper Authentication
50 %	CWE-94	Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

Type	Description	Count
Application	Sun Java System Access Manager cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_x86::::: cpe:2.3:a:sun:java_system_access_manager:7.1::windows::::: cpe:2.3:a:sun:java_system_access_manager:7.1::linux::::: cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_sparc::::: cpe:2.3:a:sun:java_system_access_manager:7.1::hp-ux:::::	5
Application	Sun Java System Application Server cpe:2.3:a:sun:java_system_application_server:9.1:::::::* cpe:2.3:a:sun:java_system_application_server:8.2:::::::* cpe:2.3:a:sun:java_system_application_server:8.1:ur1:::::: cpe:2.3:a:sun:java_system_application_server:8.1:::::::*	4

Open Source Vulnerability Database (OSVDB)

Id	Description
37758	Sun Java System Access Manager Container Restart Authentication Bypass
37757	Sun Java System Access Manager Unspecified Remote Code Execution

Global Informations

Type	Count
CWE ID(s)	2
CPE ID(s)	9
osvdb(s)	2

	Related
7.5	CVE-2007-5152
6.8	CVE-2007-5153
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)

7.5 - SUN-103069

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Open Source Vulnerability Database (OSVDB)

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU