---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Sun Java System Application Server / Web Server File Disclosure SECUNIA ADVISORY ID: SA21251 VERIFY ADVISORY: http://secunia.com/advisories/21251/ CRITICAL: Moderately critical IMPACT: Exposure of system information, Exposure of sensitive information WHERE: >From remote SOFTWARE: Sun Java System Application Server (Sun ONE) 7.x http://secunia.com/product/1534/ Sun Java System Application Server 8.x http://secunia.com/product/3509/ Sun Java System Web Server (Sun ONE/iPlanet) 6.x http://secunia.com/product/92/ DESCRIPTION: A vulnerability has been reported in Sun Java System Application Server (SJSAS) and Sun Java System Web Server (SJSWS), which can be exploited by malicious people to gain knowledge of sensitive information. The vulnerability is caused due to an unspecified error and can be exploited to disclose arbitrary files on the system. SOLUTION: Update to fixed versions. -- SPARC Platform -- * Sun ONE Application Server 7 with Update 8 or later * Sun Java System Application Server 7 2004 Q2 with Update 5 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-02 or (SVR4) patch 119166-09 or later * Sun Java System Web Server 6.0 with Service Pack 10 or later * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later * Sun Java System Web Server 6.1 2005 Q1 with patch 116648-18 or later -- x86 Platform -- * Sun ONE Application Server 7 with Update 8 or later * Sun Java System Application Server 7 2004 Q2 with Update 5 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-02 or (SVR4) patch 119167-09 or later * Sun Java System Web Server 6.0 with Service Pack 10 or later * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later * Sun Java System Web Server 6.1 2005 Q1 with patch 116649-18 or later -- Linux Platform -- * Sun ONE Application Server 7 with Update 8 or later * Sun Java System Application Server 7 2004 Q2 with Update 5 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-02 or (SVR4) patch 119168-09 or later * Sun Java System Web Server 6.0 with Service Pack 10 or later * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later * Sun Java System Web Server 6.1 2005 Q1 with patch 118202-10 or later -- AIX Platform -- * Sun Java System Web Server 6.0 with Service Pack 10 or later * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later -- HP-UX Platform -- * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (native) patch 121514-01 or later * Sun Java System Web Server 6.0 with Service Pack 10 or later * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later -- Windows Platform -- * Sun ONE Application Server 7 with Update 8 or later * Sun Java System Application Server 7 2004 Q2 with Update 5 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file based) patch 119172-07 or (native) patch 121528-01 or later * Sun Java System Web Server 6.0 with Service Pack 10 or later * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102521-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------