---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Sun Java System Identity Manager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34380 VERIFY ADVISORY: http://secunia.com/advisories/34380/ DESCRIPTION: Some vulnerabilities and security issues have been reported in Sun Java System Identity Manager, which can be exploited by by malicious users to bypass certain security restrictions, and by malicious people to disclose sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, manipulate certain data, or potentially compromise a vulnerable system. 1) An unspecified error can lead to unencrypted communication between clients and the IDM server. 2) An unspecified error can be exploited to enumerate valid user accounts. 3) An unspecified error can be exploited to change another user's password. 4) An unspecified error can be exploited to perform certain actions that are expected to be restricted. Successful exploitation requires a valid user account. 5) Unspecified input is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 6) An unspecified error can be exploited to bypass certain security restrictions, which potentially allows cross-site scripting and cross-site request forgery attacks. Successful exploitation requires a valid user account. 7) An unspecified error can be exploited to execute arbitrary commands on Unix / Linux based resource adapters. 8) An unspecified error can be exploited to modify IDM system configuration data. 9) An unspecified error can be exploited by IDM users to gain escalated privileges or to execute arbitrary code on the IDM server machine. Successful exploitation may require a valid user account. The vulnerabilities are reported in Sun Java System Identity Manager 7.0, 7.1, 7.1.1, and 8.0. NOTE: Version 8.1 is reportedly not affected. SOLUTION: Apply patches. Sun Java System Identity Manager 7.0: Apply patch 140935-01. Sun Java System Identity Manager 7.1: Apply patch 140936-01. Sun Java System Identity Manager 7.1.1: Apply patch 137621-11. Sun Java System Identity Manager 8.0: Apply patch 139010-06. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) Marco Mella 5) Dan Sinclair of Security Compass and ProCheckUp Ltd. 7) Alexandre Bezroutchko of Scanit ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------