CERT-In Vulnerability Note CIVN-2008-168
Sun Java System Web Proxy Server FTP Subsytem Heap Based Buffer Overflow Vulnerability

Original Issue Date:October 20, 2008

Severity Rating: High

Systems Affected

• Sun Java System Web Proxy Server 4.x

Overview

A heap-based buffer overflow vulnerability has been reported in Sun Java System Web Proxy Server, which could allow remote attacker to execute an arbitrary code with the privileges of the target service.

Description

This vulnerability is caused due to improper bounds-check of user-supplied data before copying it into an insufficiently sized buffer. This vulnerability can be exploited by sending specially crafted data to trigger a heap overflow in the FTP subsystem. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code.

Solution

Update to version 4.0.8 or apply patches.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-242986-1

Vendor Information

Sun Microsystems
http://sunsolve.sun.com/search/document.do?assetkey=1-66-242986-1

References

FrSIRT
http://www.frsirt.com/english/advisories/2008/2781

SecurityFocus
http://www.securityfocus.com/bid/31691

SecurityTracker
http://securitytracker.com/alerts/2008/Oct/1021038.html

Secunia
http://secunia.com/advisories/32227

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003