P-187: Sun Java System Web Proxy Server Vulnerability
Privacy and Legal Notice
INFORMATION BULLETIN
P-187: Sun Java System Web Proxy Server Vulnerability
[Sun Alert ID: 57763]
April 20, 2005 18:00 GMT
|
| PROBLEM: |
A buffer overflow vulnerability was discovered in Sun Java System Web Proxy Server (Formerly Sun ONE Proxy Server).
|
| PLATFORM: |
Sun Java System Web Proxy Server 3.6 Service Pack 6
|
| DAMAGE: |
Exploiting this vulnerability may allow a remote unprivileged user to execute arbitrary code on the system running the Web Proxy Server with the privileges of the server process. Note that the default UID for the Web Proxy Server is "nobody", however, the administrator may have used a different UID from the default during installation or configuration.
|
| SOLUTION: |
Apply available security updates.
|
|
VULNERABILITY
ASSESSMENT: |
The risk is MEDIUM. A remote unprivileged user may execute arbitrary code and cause the Web Proxy Server to crash.
|
|
[***** Start Sun Alert ID: 57763 *****]
Sun(sm) Alert Notification
* Sun Alert ID: 57763
* Synopsis: Buffer Overflow Vulnerabilities in Sun Java System Web Proxy
Server
* Category: Security
* Product: Sun Java System Web Proxy Server 3.6 Service Pack 6
* BugIDs: 5109863
* Avoidance: Upgrade
* State: Resolved
* Date Released: 19-Apr-2005
* Date Closed: 19-Apr-2005
* Date Modified:
1. Impact A buffer overflow vulnerability in the Sun Java System Web Proxy
Server (Formerly Sun ONE Proxy Server) may allow a remote unprivileged user
to execute arbitrary code on the system running the Web Proxy Server with
the privileges of the server process.
Note: The default UID for the Web Proxy Server is "nobody", however, the
administrator may have used a different UID from the default during instalation
or configuration.
2. Contributing Factors This issue can occur in the following releases for
all platforms:
* Sun Java System Web Proxy Server 3.6 Service Pack 6 and earlier
Note: For supported architectures and OS versions see http://www.sun.com/software/products/web_proxy/home_web_proxy.xml
3. Symptoms The Web Proxy Server may crash if the described buffer overflow
vulnerabilities have been exploited.
Solution Summary Top
4. Relief/Workaround There is no workaround. Please see the "Resolution"
section below.
5. Resolution This issue is addressed in the following release:
* Sun Java System Web Proxy Server 3.6 Service Pack 7 and later
which can be downloaded at http://www.sun.com/download/index.jsp under the
"Web and Proxy Servers" selection.
This Sun Alert notification is being provided to you on an "AS IS" basis. This
Sun Alert notification may contain information provided by third parties.
The issues described in this Sun Alert notification may or may not impact
your system(s). Sun makes no representations, warranties, or guarantees as
to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY
ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT
ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of your
agreement to purchase services from Sun, or, if you do not have such an
agreement, the Sun.com Terms of Use. This Sun Alert notification may only
be used for the purposes contemplated by these agreements.
Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
CA 95054 U.S.A. All rights reserved.
[***** End Sun Alert ID: 57763 *****]
CIAC wishes to acknowledge the contributions of Sun Microsystems for the
information contained in this bulletin.
DOE-CIRC can be contacted at:
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/