Sun Microsystems has fixed buffer overflow vulnerabilities in the Java System Web Proxy Server. Attackers could use the problem to remotely crash machines or launch malicious code.
The Santa Clara, Calif.-based company said in an advisory that "buffer overflow vulnerabilities may allow a remote unprivileged user to crash either the Web Proxy Server or the admin server (of the Web Proxy Server) or execute arbitrary code with the privileges of the respective server processes."
Researcher Matt Moore from British security firm Pentest Ltd. discovered the vulnerabilities and reported them to Sun. The proxy server does not properly handle "CONNECT Request" URIs and the proxy admin server has various buffer management flaws, Sun said. Further details have not been made available.
There are no reliable symptoms to indicate if and when the vulnerabilities have been exploited to execute arbitrary code, the company added. "The Web Proxy Server or admin server may crash if the buffer overflow vulnerabilities have been exploited," the advisory said.
The problems are fixed in Sun Java System Web Proxy Server 3.6 Service Pack 5 or later, the company said. There are no known workarounds.
Danish security firm Secunia calls the problem "highly critical" – its second-highest risk rating -- because it can be remotely exploited.
"The vulnerabilities are caused due to some unspecified boundary errors that can be exploited to cause buffer overflows," Secunia said in its advisory.