A newly discovered flaw in Sun Microsystems Inc.'s LDAP-based directory server could allow unauthorized users to tamper with the system and execute arbitrary commands.
According to an advisory published Friday by the French Security Incident Response Team (FrSIRT) and confirmed by Danish security monitoring Web site Secunia, Sun's Java System Directory Server version 5.2, including patch 3 and prior patches, is vulnerable to an unspecified error in the HTTP admin interface that improperly handles uniquely crafted requests.
FrSIRT writes that, as a result, it is possible for remote attackers to use such requests to gain unauthorized access to a susceptible system and perform malicious actions.
Secunia has classified the problem as moderately critical. It was reportedly exposed by Peter Winter-Smith of UK-based vulnerability assessment firm NGS Software Ltd.
Affected users can eradicate the vulnerability by upgrading to System Directory Server 5.2 patch 4.
According to Sun, the Java System Directory Server is the most widely deployed general-purpose directory server based on Lightweight Director Access Protocol, with more than 1.5 billion entries. Used by enterprises to manage large volumes of user information, it is a software component of Sun's Java Identity Management Suite, the vendor's toolset for managing and securing network identity data.