TITLE: Sybase EAServer JPasswordField Password Disclosure SECUNIA ADVISORY ID: SA20145 VERIFY ADVISORY: http://secunia.com/advisories/20145/ CRITICAL: Not critical IMPACT: Exposure of sensitive information WHERE: Local system SOFTWARE: Sybase EAServer 5.x http://secunia.com/product/5398/ DESCRIPTION: A security issue has been reported in Sybase EAServer, which can be exploited by malicious, local users to disclose potentially sensitive information. The security issue is caused due to clear text passwords being returned by the "getSelectedText()" method of the "javax.swing.JPasswordField" UI component. This can potentially be exploited to disclose the password that has been input into the password field. Successful exploitation requires that e.g. a user keys in his password into a password prompt dialog box in a GUI application and leaves dialog box open, or the attacker has access to the file that stores private data from the JPasswordField UI component. The security issue has been reported in the following versions: * EAServer version 5.0 (HP-UX Itanium) * EAServer version 5.2 (IBM AIX/HP-UX PA-RISC/Linux x86/Sun Solaris SPARC) Note: The security issue affects users who develop and deploy their own J2EE Application Clients and Java GUI applications with EAServer using the javax.swing.JPasswordField UI component. GUI applications built by other vendors may also be affected. SOLUTION: Update to the fixed version or install EBF. http://downloads.sybase.com/ EAServer Version 5.0 (HP-UX Itanium): Install EBF# 13542 EAServer Version 5.2 (IBM AIX): Install EBF# 13540 EAServer Version 5.2 (HP-UX PA-RISC): Install EBF# 13539 EAServer Version 5.2 (Linux x86): Install EBF# 13541 EAServer Version 5.2 (Sun Solaris SPARC): Update to EAServer 5.3 and follow instructions in the latest version of the online release bulletin. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.sybase.com/detail?id=1040665 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------