Skip to main content

Sun Java System Identity Manager Multiple Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 23 Mar 2009 4278 Views

RISK: Medium Risk

Multiple vulnerabilities have been identified in Sun Java System Identity Manager, which could be exploited by attackers to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a vulnerable system.

1. An unspecified error can lead to unencrypted communication between clients and the IDM server.

2. An unspecified error can be exploited to enumerate valid user accounts.

3. An unspecified error can be exploited to change another user's password.

4. An unspecified error can be exploited to perform certain actions that are expected to be restricted.

Successful exploitation requires a valid user account.

5. Unspecified input is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6. An unspecified error can be exploited to bypass certain security restrictions, which potentially allows cross-site scripting and cross-site request forgery attacks.

Successful exploitation requires a valid user account.

7. An unspecified error can be exploited to execute arbitrary commands on Unix / Linux based resource adapters.

8. An unspecified error can be exploited to modify IDM system configuration data.

9. An unspecified error can be exploited by IDM users to gain escalated privileges or to execute arbitrary code on the IDM server machine.

Successful exploitation may require a valid user account.

The vulnerabilities are reported in Sun Java System Identity Manager 7.0, 7.1, 7.1.1, and 8.0.

NOTE: Version 8.1 is reportedly not affected.


Impact

  • Cross-Site Scripting
  • Remote Code Execution
  • Security Restriction Bypass
  • Information Disclosure

System / Technologies affected

  • Sun Java System Identity Manager 7.x
  • Sun Java System Identity Manager 8.x

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Apply patches

  • Sun Java System Identity Manager 7.0:
    Apply patch 140935-01.

  • Sun Java System Identity Manager 7.1:
    Apply patch 140936-01.

  • Sun Java System Identity Manager 7.1.1:
    Apply patch 137621-11.

  • Sun Java System Identity Manager 8.0:
    Apply patch 139010-06.


Vulnerability Identifier

  • No CVE information is available

Source