Sun Web Server Hit with Multiple Security Vulnerabilities -- Redmond Channel Partner

Sun Web Server Hit with Multiple Security Vulnerabilities

By Joab Jackson
June 04, 2008

A security research firm has found multiple flaws in Web server software from Sun Microsystems that would collectively allow attackers to log on, gain root access, peruse and delete files, and execute malicious commands.

All the vulnerabilities, investigated by iDefense, appear in versions 4.2 and earlier of Sun Java System Active Server Pages, software that allows creation of Active Server Pages across different operating systems and production environments.

Sun has issued an update to the software along with workarounds for administrators who want to keep their original configurations.

The six vulnerabilities are:

An authorization bypass vulnerability through port 5102 that allows an attacker to bypass the log-in process entirely.

An information disclosure vulnerability that allows attackers to read sensitive information from a Web server.

A directory traversal vulnerability that allows an attacker who has logged on to browse directories and obtain the contents of sensitive system files or even delete them.

A file-creation vulnerability that allows attackers to create, or append to, arbitrary files with root privileges.

A buffer overflow vulnerability that allows attackers to execute arbitrary code on the server.

A set of command injection vulnerabilities that allow attackers to execute sensitive commands by the software's shell interface.

The individual who found the vulnerabilities wishes to remain anonymous, according to iDefense. The security company reported the vulnerabilities to Sun on April 4, and the two companies coordinated the public disclosure of the hole yesterday.

The vulnerabilities have been submitted for inclusion to the CVE list of standardized names of security problems.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

Free Webcast! Learn about Password Management Best Practices

Featured

After High-Profile Attacks, Biden Calls for Better Software Security

Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.
With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.
Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.
Darktrace Deal To Bring AI Security to Microsoft Products

Microsoft and security solutions firm Darktrace plan to integrate the latter's AI products with Microsoft Azure, Azure Sentinel and Microsoft Defender for Endpoint.

RCP Update

Email Address*Country*

Please type the letters/numbers you see above.

Sun Web Server Hit with Multiple Security Vulnerabilities

Featured

After High-Profile Attacks, Biden Calls for Better Software Security

With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

Darktrace Deal To Bring AI Security to Microsoft Products

The 2021 Microsoft Product Roadmap

With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

After High-Profile Attacks, Biden Calls for Better Software Security

Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

The 2021 Microsoft Product Roadmap

With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

After High-Profile Attacks, Biden Calls for Better Software Security

Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

Partner Guides

Partner's Guide to the Windows Server 2008 Deadline

Partner's Guide to UCaaS

Partner's Guide to Starter Workloads in Azure

Partner's Guide to Microsoft's Fiscal Year 2019

Partner's Guide to Making the Most of Dynamics 365 IUR

FREE WEBCASTS FROM OUR SPONSORS

Tap into the true Microsoft 365 earning potential

Protect Your Customers Against Email Threats with MDR and Microsoft Defender for Office 365

Boost Your Dynamics 365 Business with the Power of the Indirect Model and Tech Data

Webroot’s 2021 Threat Report

FREE WHITE PAPERS FROM OUR SPONSORS

Partner Profile - How eSentire MDR Expands Microsoft 365's Security Capabilities

2021 Webroot BrightCloud Threat Report

eBook: Hacker Personas

Carbonite Data Protection & Cyber Resilience