[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sun] UPDATE: Schwachstelle im Sun Java System Application Server - 102992
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.
Bitte beachten Sie, dass dies ein Update des Advisories ist, das die
folgenden Aenderungen betrifft:
Mit diesem Update gibt Sun die Verfuegbarkeit von Patches fuer den Sun
Java Application Server 9.0 bekannt.
XSL Transformations (XSLT) sind eine Programmiersprache zur Umwandlung
von XML Dokumenten. Die Programme werden als XSLT Stylesheets
bezeichnet.
Sun Bug IDs 6542007 & 6523817 - Fehler beim Parsen von XLST
Stylesheets im Java System Application Server
Im Sun Java System Application Server und im Sun Java System Web
Server befindet sich ein Fehler beim Parsen von XSLT Stylesheets
innerhalb von XSLT Transformationen die sich in XML Signaturen
befinden.
Ein Angreifer kann diese Schwachstelle ueber das Netz dazu ausnutzen,
beliebige Java Methoden auf dem Server auszufuehren, indem er ein
entsprechend aufgebautes XLST Stylesheet dem Server uebergibt.
Betroffen sind die folgenden Software Pakete und Plattformen:
Solaris auf SPARC Plattformen
* Sun Java System Web Server 7.0 ohne Update 1 oder ohne Patch 125437-07
* Sun Java System Application Server Platform Edition 8.2 ohne Patch
124679-01 oder SVR4 Patch 124672-02
* Sun Java System Application Server Enterprise Edition 8.2 ohne Patch
124675-01 oder SVR4 Patch 124672-02
* Sun Java System Application Server Platform Edition 9.0 ohne Patch
124609-05
Solaris auf x86 Plattformen
* Sun Java System Web Server 7.0 ohne Update 1 oder ohne Patch 125438-07
* Sun Java System Application Server Platform Edition 8.2 ohne Patch
124680-01 oder SVR4 Patch 124673-02
* Sun Java System Application Server Enterprise Edition 8.2 ohne Patch
124676-01 oder SVR4 Patch 124673-02
* Sun Java System Application Server Platform Edition 9.0 ohne Patch
124610-05
Linux
* Sun Java System Web Server 7.0 ohne Update 1 oder ohne Patch 125439-07
* Sun Java System Application Server Platform Edition 8.2 ohne Patch
124681-01 oder RHEL3.0/RHEL4.0 (Pkg_patch) 124674-02
* Sun Java System Application Server Enterprise Edition 8.2 ohne Patch
124677-01 oder RHEL3.0/RHEL4.0 (Pkg_patch) 124674-02
* Sun Java System Application Server Platform Edition 9.0 ohne Patch
124611-05
Windows
* Sun Java System Web Server 7.0 ohne Update 1 oder ohne Patch 125441-06
* Sun Java System Application Server Platform Edition 8.2 ohne Patch
124682-01
* Sun Java System Application Server Enterprise Edition 8.2 ohne Patch
124678-01 oder package-basiertem Patch 124684-02
* Sun Java System Application Server Platform Edition 9.0 ohne Patch
124612-05
HP-UX
* Sun Java System Web Server 7.0 vor Update 1 oder ohne Patch 125440-01
Sun Solaris auf SPARC und x86 Plattformen
Linux
Windows
HP-UX
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102992-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Jan Kohlrausch
- --
Jan Kohlrausch (CSIRT), Phone +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Sun(sm) Alert Notification
* Sun Alert ID: 102992
* Synopsis: Security Vulnerability in Processing XSLT Stylesheets Affects
Sun Java System Application Server and Web Server
* Category: Security
* Product: Sun Java System Application Server Standard Edition 8.2, Sun
Java System Application Server Enterprise Edition 8.2, Sun Java System
Application Server Platform Edition 9.0 Update 1, Sun Java System
Application Server PE 9 , Sun Java System Web Server 7.0
* BugIDs: 6542007, 6523817
* Avoidance: Patch
* State: Resolved
* Date Released: 10-Jul-2007, 26-Oct-2007
* Date Closed: 26-Oct-2007
* Date Modified: 29-Aug-2007, 26-Oct-2007
1. Impact
Certain releases of Sun Java System Application Server and Sun Java System
Web Server (listed in "Contributing Factors") do not securely process XSLT
stylesheets contained in XSLT Transforms in XML Signatures. This could allow
malicious XLST stylesheets to be executed which may, for example, allow
execution of an arbitrary Java method.
Sun acknowledges, with thanks, Brad Hill of iSEC Partners, for bringing this
issue to our attention.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun Java System Web Server 7.0 without Update 1
* Sun Java System Web Server 7.0 without patch 125437-07
* Sun Java System Application Server Platform Edition 8.2 without
file-based patch 124679-01 or SVR4 patch 124672-02
* Sun Java System Application Server Enterprise Edition 8.2 without
file-based patch 124675-01 or SVR4 patch 124672-02
* Sun Java System Application Server Platform Edition 9.0 without
file-based patch 124609-05
x86 Platform
* Sun Java System Web Server 7.0 without Update 1
* Sun Java System Web Server 7.0 without patch 125438-07
* Sun Java System Application Server Platform Edition 8.2 without
file-based patch 124680-01 or SVR4 patch 124673-02
* Sun Java System Application Server Enterprise Edition 8.2 without
file-based patch 124676-01 or SVR4 patch 124673-02
* Sun Java System Application Server Platform Edition 9.0 without
file-based patch 124610-05
Linux
* Sun Java System Web Server 7.0 without Update 1
* Sun Java System Web Server 7.0 without patch 125439-07
* Sun Java System Application Server Platform Edition 8.2 without
file-based patch 124681-01 or RHEL3.0/RHEL4.0 (Pkg_patch) 124674-02
* Sun Java System Application Server Enterprise Edition 8.2 without
file-based patch 124677-01 or RHEL3.0/RHEL4.0 (Pkg_patch) 124674-02
* Sun Java System Application Server Platform Edition 9.0 without
file-based patch 124611-05
Windows
* Sun Java System Web Server 7.0 without Update 1
* Sun Java System Web Server 7.0 without patch 125441-06
* Sun Java System Application Server Platform Edition 8.2 without
file-based patch 124682-01
* Sun Java System Application Server Enterprise Edition 8.2 without
file-based patch 124678-01 or package-based patch 124684-02
* Sun Java System Application Server Platform Edition 9.0 without
file-based patch 124612-05
HP-UX
* Sun Java System Web Server 7.0 without Update 1
* Sun Java System Web Server 7.0 without patch 125440-01
Note: No other versions of the applications listed above are vulnerable to
this issue.
To determine the version of Sun Java System Application server on a system,
the following command can be run:
$ <AS_INSTALL>/bin/asadmin version --verbose
(Where <AS_INSTALL> is the installation directory of the Application
Server).
To determine the version of Sun Java System Web Server 7.0 on a system, the
following command can be run:
$ <WS-install>/bin/wadm --version
(Where <WS-install> is the installation directory of the Web Server).
Note: Bug 6523817 only impacts Sun Java System Web Server, and bug 6542007
impacts Sun Java System Application Server.
3. Symptoms
There are no predictable symptoms that would indicate the described issue
has been exploited.
Solution Summary Top
4. Relief/Workaround
There is no workaround for this issue. Please see the Resolution section
below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Sun Java System Web Server 7.0 with Update 1 or later
* Sun Java System Web Server 7.0 with patch 125437-07 or later
* Sun Java System Application Server Platform Edition 8.2 with file-based
patch 124679-01 or SVR4 patch 124672-02 or later
* Sun Java System Application Server Enterprise Edition 8.2 with
file-based patch 124675-01 or SVR4 patch 124672-02 or later
* Sun Java System Application Server Platform Edition 9.0 with file-based
patch 124609-05 or later
x86 Platform
* Sun Java System Web Server 7.0 with Update 1 or later
* Sun Java System Web Server 7.0 with patch 125438-07 or later
* Sun Java System Application Server Platform Edition 8.2 with file-based
patch 124680-01 or SVR4 patch 124673-02 or later
* Sun Java System Application Server Enterprise Edition 8.2 with
file-based patch 124676-01 or SVR4 patch 124673-02 or later
* Sun Java System Application Server Platform Edition 9.0 with file-based
patch 124610-05 or later
Linux
* Sun Java System Web Server 7.0 with Update 1 or later
* Sun Java System Web Server 7.0 with patch 125439-07 or later
* Sun Java System Application Server Platform Edition 8.2 with file-based
patch 124681-01 or RHEL3.0/RHEL4.0 (Pkg_patch) 124674-02 or later
* Sun Java System Application Server Enterprise Edition 8.2 with
file-based patch 124677-01 or RHEL3.0/RHEL4.0 (Pkg_patch) 124674-02 or
later
* Sun Java System Application Server Platform Edition 9.0 with file-based
patch 124611-05 or later
Windows
* Sun Java System Web Server 7.0 with Update 1 or later
* Sun Java System Web Server 7.0 with patch 125441-06 or later
* Sun Java System Application Server Platform Edition 8.2 with file-based
patch 124682-01 or later
* Sun Java System Application Server Enterprise Edition 8.2 with
file-based patch 124678-01 or package-based patch 124684-02 or later
* Sun Java System Application Server Platform Edition 9.0 with file-based
patch 124612-05 or later
HP-UX
* Sun Java System Web Server 7.0 with Update 1 or later
* Sun Java System Web Server 7.0 with patch 125440-01 or later
Sun Java System Web Server 7.0 Update 1 is available at
http://www.sun.com/download/products.xml?id=467713d6
Change History
29-Aug-2007:
* Updated Contributing Factors and Resolution sections
26-Oct-2007:
* Updated Contributing Factors and Resolution sections
* State: Resolved
This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third
parties. The issues described in this Sun Alert notification may or may not
impact your system(s). Sun makes no representations, warranties, or
guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
proprietary and confidential information. It is being provided to you
pursuant to the provisions of your agreement to purchase services from Sun,
or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
Alert notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRyXDVhYd1iQZmhQQAQHgiwf9GB30O1/if5VLm1AygZKilP6ihD89lGkU
c8FDL/OssJibSmZvHfYC9bb4sA9S7Sb3eo2HQnEmtRQqSJxzbX+8ZrwLRmKFhcky
P8Ss5LzSxNig2DVZzcvlsElQ/WWDVAQ8w0jspY8BmNk3r5xdyz8ZXnKcNPY/r+1g
a8MwSmNiXnrwWQhW1PkWdNDGhHLMvjgobkxEv9XCKrAGQM83keahBIe25xRf8IPg
xbat9x2EV3lJ9JNejWCaSSdRVNMBe9ZskSdk6iobqX96OY1uBqzeECRF9DHOvQbK
E0Z1bOzUGicXK3hSTiuunsSuAu7LYjaV/g5G9W2lDz3JAYIUqMvF5A==
=Jwev
-----END PGP SIGNATURE-----