In association with heise online

18 April 2007, 12:25

Server vulnerability through bug in Sun’s Java Web Console

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Sun has published updates for the Sun Java Web Console to fix a security vulnerability. The Java Web Console provides remote administrative management access to the system. According to an advisory by security service provider n.runs who detected this hole, a format string vulnerability in the logging of failed log-ins is responsible for the vulnerability, which can be exploited by unauthenticated remote users. Only limited information is available on the exact cause of this problem.

Although according to Sun the vulnerability can only be used to crash the console service or to spy out data, n.runs warns that it may also be used for remote code execution. Affected systems include Java Web Console 2.2.2 - 2.2.5 and Solaris 10. By default, Solaris 8 and 9 are not equipped with the console. Solaris 10 11/06 and higher versions are not affected by this bug. For all other versions, the updates for x98 and Sparc eliminate the problem. Alternatively, users may turn off console logging with the following command: /usr/sbin/smreg add -p -c logging.default.level=off

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit