Alleged critical vulnerability in Sun Java System Web Server
Sun Microsystem's Java System Web Server apparently contains a critical security hole that can be exploited to remotely inject and execute code in a system. Vendor Intevydis claims that its VulnDisco Pack Professional 8.12 product contains a zero day exploit that triggers a critical flaw in version 7.0 update 6 (7.0U6) of the web server.
However, very little actual information about this has emerged so far. The only thing that seems to be known is that the vulnerability involves a buffer overflow which can be exploited remotely. While Secunia and Vupen have rated the problem critical in their respective security advisories, the security firms are yet to suggest specific protective measures. No statement, let alone bug fix, has been provided by Sun.
Sun Java System Web Server is the successor of the Sun ONE platform and mainly used for large web applications in corporate environments. VulnDisco is a commercial collection of exploits for the Immunity Canvas pen-testing platform – a kind of commercial Metasploit. VulnDisco is also said to demonstrate two previously unknown security problems in Solaris/OpenSolaris.