Sun fixes flaw in Java proxy server

By Bill Brenner, News Writer 01 Nov 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Sun Microsystems has fixed buffer overflow vulnerabilities in the Java System Web Proxy Server. Attackers could use the problem to remotely crash machines or launch malicious code.

The Santa Clara, Calif.-based company said in an advisory that "buffer overflow vulnerabilities may allow a remote unprivileged user to crash either the Web Proxy Server or the admin server (of the Web Proxy Server) or execute arbitrary code with the privileges of the respective server processes."

Researcher Matt Moore from British security firm Pentest Ltd. discovered the vulnerabilities and reported them to Sun. The proxy server does not properly handle "CONNECT Request" URIs and the proxy admin server has various buffer management flaws, Sun said. Further details have not been made available.

There are no reliable symptoms to indicate if and when the vulnerabilities have been exploited to execute arbitrary code, the company added. "The Web Proxy Server or admin server may crash if the buffer overflow vulnerabilities have been exploited," the advisory said.

The problems are fixed in Sun Java System Web Proxy Server 3.6 Service Pack 5 or later, the company said. There are no known workarounds.

Danish security firm Secunia calls the problem "highly critical" – its second-highest risk rating -- because it can be remotely exploited.

"The vulnerabilities are caused due to some unspecified boundary errors that can be exploited to cause buffer overflows," Secunia said in its advisory.

Tags: Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary