Executive Summary
Summary | |
---|---|
Title | Sun Alert 103069 Installation of Sun Java System Access Manager 7.1 on Sun Java System Application Server 9.1 or 8.x May Compromise Application Server Security |
Informations | |||
---|---|---|---|
Name | SUN-103069 | First vendor Publication | 2007-09-27 |
Vendor | Sun | Last vendor Modification | 2009-09-10 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Product: Sun Java System Access Manager 7.1 There are two vulnerabilities associated with this issue: 1. When Sun Java System Access Manager 7.1 is installed in a Sun Java System Application Server 9.1 container and the container is restarted, no authentication screen is displayed. Any application using container based authentication would no longer work correctly as any users would be granted access without authentication. This can lead to unprivileged non-administrative users performing administrative tasks. As an example, the Admin Console application (which is a pre-deployed system application on the Application Server used to Administer the Application Server) no longer prompts users for authentication when accessing this application. Thus anyone, whether they have administrative privileges or no privileges, could administer the Application Server. 2. When Sun Java System Access Manager 7.1 is installed in a Sun Java System Application Server 8.x container, the installation may be vulnerable to malicious code. If an application is deployed in such an environment, then a local or remote unprivileged user may be able to execute arbitrary code with the privileges of the deployed application. State: Resolved First released: 27-Sep-2007 |
Original Source
Url : http://blogs.sun.com/security/entry/sun_alert_103069_installation_of |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-287 | Improper Authentication |
50 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
37758 | Sun Java System Access Manager Container Restart Authentication Bypass |
37757 | Sun Java System Access Manager Unspecified Remote Code Execution |