[Sec-cert] [Sun] Schwachstelle im Identity Manager - Sun Alert 275010

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Do Jan 14 16:13:07 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Sun Bug ID 21838 - Schwachstelle im Sun Java System Identity Manager

  Eine nicht naeher beschriebene Schwachstelle im Sun Java System
  Identity Manager erlaubt jedem Benutzer Zugang mit
  Administratorrechten, wenn der Identitiy Manager zusammen mit dem Sun
  Java System Access Manager, OpenSSO Enterprise 8.0 oder IBM
  Tivoli Access Manager konfiguriert wurde.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Sun Identity Manager 8.1 mit Patch 141642-06 oder Patch 141642-07 und
  ohne Patch 141642-08

  Alle Plattformen, auf denen der Sun Java System Identity Manager laeuft

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-275010-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

17. DFN Workshop    "Sicherheit in vernetzten Systemen"    09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html

Alert URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-275010-1
Sun Security Alert: 275010

   Security Vulnerability in Identity Manager 8.1.0.5 and 8.1.0.6
   Configured with Sun Java System Access Manager, OpenSSO Enterprise 8.0
   or IBM Tivoli Access Manager
    __________________________________________________________________

   Category :                 Security
   Release Phase :            Resolved
   Bug Id :                   21838
   Product :                  Sun Identity Manager 8.1
   Date of Resolved Release : 11-Jan-2010
A security vulnerability in the Sun Java System Identity Manager:

   1. Impact
   A security vulnerability in the Sun Java System Identity Manager may
   allow a local or remote unprivileged user to gain unauthorized access
   with all administrator privileges when Identity Manager is configured
   with Sun Java System Access Manager, OpenSSO Enterprise 8.0 or IBM
   Tivoli Access Manager.
   2. Contributing Factors
   This issue can occur in the following release for all Identity Manager
   supported platforms:
     * Sun Java System Identity Manager 8.1 with patch 141642-06 or
       141642-07 and without patch 141642-08

   To determine the version of Sun Identity Manager installed on a system,
   log in to the administrator console using a browser and hover the mouse
   pointer over the "Help" tab in the upper right portion of the page. The
   current version will be displayed similar to the following:
    Version Sun Identity Manager 8.1 (20091021 Patch 5)

   Note:  Only Sun Identity Manager 8.1 with patch 141642-06 or patch
   141642-07 is affected by this vulnerability.

   3. Symptoms
   There are no predictable symptoms that would indicate the described
   issue has been exploited.
   4. Workaround
   There is no workaround for this issue. Please see the Resolution
   section below.
   5. Resolution
   This issue is addressed in the following release for all Identity
   Manager supported platforms:
     * Sun Java System Identity Manager 8.1 with patch 141642-08 or later

   For more information on Security Sun Alerts, see Technical Instruction
   ID 213557.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
   ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
   OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
   Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   Attachments
This solution has no attachment



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLTzSDWmhIvjFb90URAlyiAKCSjtzCebh3QN3IA7YcJiXsTikwtwCeOUeH
QOIlSwJ3vCT6vIfMsP8iiF4=
=Akaz
-----END PGP SIGNATURE-----



Mehr Informationen über die Mailingliste Sec-cert