Sun fixes flaw in Java proxy server

Bill Brenner, News Writer

Sun Microsystems has fixed buffer overflow vulnerabilities in the Java System Web Proxy Server. Attackers could use the problem to remotely crash machines or launch malicious code.

The Santa Clara, Calif.-based company said in an advisory

    Requires Free Membership to View

that "buffer overflow vulnerabilities may allow a remote unprivileged user to crash either the Web Proxy Server or the admin server (of the Web Proxy Server) or execute arbitrary code with the privileges of the respective server processes."

Researcher Matt Moore from British security firm Pentest Ltd. discovered the vulnerabilities and reported them to Sun. The proxy server does not properly handle "CONNECT Request" URIs and the proxy admin server has various buffer management flaws, Sun said. Further details have not been made available.

There are no reliable symptoms to indicate if and when the vulnerabilities have been exploited to execute arbitrary code, the company added. "The Web Proxy Server or admin server may crash if the buffer overflow vulnerabilities have been exploited," the advisory said.

The problems are fixed in Sun Java System Web Proxy Server 3.6 Service Pack 5 or later, the company said. There are no known workarounds.

Danish security firm Secunia calls the problem "highly critical" – its second-highest risk rating -- because it can be remotely exploited.

"The vulnerabilities are caused due to some unspecified boundary errors that can be exploited to cause buffer overflows," Secunia said in its advisory.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: