CERT-In Advisory CIAD-2009-15
Multiple Vulnerabilities in Sun Java System Identity Manager
Original issue date:
March 27, 2009
Severity Rating: High
Systems Affected
- Sun Java System Identity Manager 7.0
- Sun Java System Identity Manager 7.1
- Sun Java System Identity Manager 7.1.1
- Sun Java System Identity Manager 8.0
Overview
Multiple vulnerabilities have been reported in Sun Java System Identity Manager, which could be exploited by remote attackers to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, manipulate certain data, or potentially compromise a vulnerable system.
Description
These issues are caused due to unspecified errors when processing user-supplied data or requests, which could allow remote attackers to gain unauthorized access to data being transferred between clients and the Identity Manager (IDM) server.
A local or remote attacker can change the passwords of other user's accounts.
A local or remote attacker can determine the existence of valid usernames.
A local or remote attacker can perform some actions with additional capabilities than those assigned.
A remote attacker can execute an arbitrary HTML and script code in a user's browser session in context of an affected site.
A local or remote attacker can execute arbitrary commands on Unix/Linux based resource adapters.
A remote attacker could conduct cross-site scripting and cross-site request forgery attacks.
A local or remote attacker can modify IDM system configuration data.
A local or remote attacker can submit arbitrary commands to the Admin Console and perform administrative actions (e.g. creating accounts).
A remote authenticated user could execute arbitrary code on the IDM system with gained escalated privileges.
Successful exploitation of these issues may require a valid user account.
Note: Sun Java System Identity Manager Version 8.1 is not affected with these issues .
Solutions
Apply appropriate patches issued by vendor.
Sun Java System Identity Manager 7.0
Apply patch 140935-01
Sun Java System Identity Manager 7.1
Apply patch 140936-01
Sun Java System Identity Manager 7.1.1
Apply patch 137621-11-1
Sun Java System Identity Manager 8.0
Apply patch 139010-06
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-253267-1
Vendor Information
Sun Microsystems
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-253267-1
References
Secunia
http://secunia.com/advisories/34380/
SecutyFocus
http://www.securityfocus.com/bid/34191/
SecurityTracker
http://securitytracker.com/alerts/2009/Mar/1021881.html
VUPEN
http://www.vupen.com/english/advisories/2009/0797
CWE
CWE-20
CWE-79
CWE-200
CWE-264
CWE-310
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
