SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#881254

Sun Java System Portal Server fails to properly handle changes to display options

Overview

There is a vulnerability in the Sun Java System Portal Server, which could allow a remote, authenticated user to gain access to the administrative credentials of the Calendar server.

I. Description

The Sun Java System Portal Server is a content management system that provides centralized login capabilities and administration. The Calendar Server is an optional product that can be used by the portal server to provide users the ability to collaboratively manage schedules and share resources. A vulnerability exists in the way changes to the display options are handled by the Sun Java System Portal Server. By changing the display options to a non-default view, a user could gain access to the administrative credentials on the Calendar Server.

According to the Sun Security Alert, this vulnerability only occurs if the following two conditions are true:

  • Admin Proxy Authentication is configured on the Calendar Server
  • Calendar access is via the "Portal" communication channel and not the "Unified Web Client" or the "Calendar Web Client"
Note: This issue only affects the calendar component. The calendar configuration information is not affected.

II. Impact

A remote, authenticated user could gain access to the administrative credentials of the Calendar server.

III. Solution

Apply Patch

Sun has released an advisory which addresses this issue. For more information on patches available for your system, please refer to Sun Security Alert: 57586.

Restrict Access
Sun recommends that you not allow end users the ability to edit the calendar channels "calendar" or "view" display profile properties when Admin Proxy Authentication is enabled.

Systems Affected

VendorStatusDate NotifiedDate Updated
Sun Microsystems Inc.Vulnerable23-Jul-2004

References

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57586
http://wwws.sun.com/software/products/portal_srvr/home_portal.html
http://wwws.sun.com/software/products/calendar_srvr/home_calendar.html
http://docs.sun.com/source/816-6748-10/comm_config.html#wp34042
http://secunia.com/advisories/12134/
http://www.securitytracker.com/alerts/2004/Jul/1010756.html

Credit

This vulnerability was reported by Sun Microsystems.

This document was written by Damon Morda.

Other Information

Date Public:2004-07-21
Date First Published:2004-07-23
Date Last Updated:2004-07-23
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Severity Metric:1.31
Document Revision:15

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader