A Security Vulnerability in the Sun Java System Web Server Related to Handling of Dynamic Content May Lead to Unauthorized Information Disclosure |
|
| Category : | Security |
| Release Phase : | Workaround |
| Bug Id : | 6860680
|
| Product : | Sun Java System Web Server 6.1
Sun Java System Web Server 7.0
|
| Date of Workaround Release : | 27-Aug-2009
|
A Security Vulnerability in the Sun Java System Web Server Related to Handling of Dynamic Content May Lead to Unauthorized Information Disclosure
1. Impact
A security vulnerability in the Sun Java System Web Server related to
handling of dynamic content may allow a remote unprivileged user to
gain access to sensitive information on a Windows system running the
Sun Java System Web Server application.
This issue is also referenced in the following document:
2. Contributing Factors
Windows Platform
- Sun Java System Web Server 6.1 without Service Pack 12
- Sun Java System Web Server 7.0 without patch 125441-17 (for Update Release 6)
Note: Sun Java System Web
Server 6.1 and 7.0 running on non-Windows platforms are not impacted by
this issue.
Sun Java System Web Server 7.0 Update Release 6 can be downloaded from:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-7.0U6-OTH-G-F@CDS-CDS_SMI
3. Symptoms
There are no predictable symptoms to indicate that this issue has been
exploited to gain unauthorized access to information.
4. Workaround
To work around the described issue, add the following mapping to the "config/default-web.xml" file:
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp::$DATA</url-pattern>
</servlet-mapping>
and then restart the Web Server by executing the following commands as the 'root' user:
# <INSTALL-DIR>/admin-server/bin/stopserv
# <INSTALL-DIR>/admin-server/bin/startserv
where <INSTALL-DIR> is the path to the Sun Java System Web Server installation directory.
Refer to the product documentation for more information on editing the "default-web.xml" file.
Note: This workaround is valid
only for Java Server Pages (JSP). There is no workaround to avoid this
issue with other dynamic content provided by the Web Server.Refer to the product documentation for more information on editing the
"default-web.xml" file.
5. Resolution
This issue is addressed in the following release:
Windows Platform- Sun Java System Web Server 7.0 with patch 125441-17 or later
A final resolution is pending completion.
For more information on
Security Sun Alerts, see Technical
Instruction
ID 213557.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun
Microsystems,
Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.Modification History11-Sep-2009: Updated Contributing Factors and Resolution sections
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
