=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN417
_____________________________________________________________________

DATE                      : 01/08/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sun Java System Web Server,
                                       Sun Java System Application Server.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102521
      * Synopsis: Security Vulnerability in Sun Java System Application
        Server and Sun Java System Web Server May Allow a Remote
        Unprivileged User to Read Certain Files
      * Category: Security
      * Product: Sun ONE Application Server 7, Standard Edition, Sun Java
        System Web Server 6.1, Sun Java System Web Server 6.0 Service Pack
        8, Sun Java System Application Server Enterprise Edition 7 2004Q2,
        Sun Java System Application Server Enterprise Edition 8.1 2005Q1,
        Sun ONE Application Server 7, Platform Edition
      * BugIDs: 6302377, 6284124, 6308777
      * Avoidance: Patch, Upgrade
      * State: Resolved
      * Date Released: 27-Jul-2006
      * Date Closed: 27-Jul-2006
      * Date Modified:

1. Impact

    A security vulnerability in Sun Java System Application Server (SJSAS)
    and Sun Java System Web Server (SJSWS) may allow a remote unprivileged
    user to read files outside of the configured document root directory
    of the system upon which SJSAS or SJSWS is running.

2. Contributing Factors

    This issue can occur in the following releases:

    SPARC Platform
      * Sun ONE Application Server 7 without Update 8
      * Sun Java System Application Server 7 2004 Q2 without Update 5
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119169-02 or (SVR4) patch
        119166-09
      * Sun Java System Web Server 6.0 without Service Pack 10
      * Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
      * Sun Java System Web Server 6.1 2005 Q1 without patch 116648-18

    x86 Platform
      * Sun ONE Application Server 7 without Update 8
      * Sun Java System Application Server 7 2004 Q2 without Update 5
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119170-02 or (SVR4) patch
        119167-09
      * Sun Java System Web Server 6.0 without Service Pack 10
      * Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
      * Sun Java System Web Server 6.1 2005 Q1 without patch 116649-18

    Linux Platform
      * Sun ONE Application Server 7 without Update 8
      * Sun Java System Application Server 7 2004 Q2 without Update 5
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119171-02 or (SVR4) patch
        119168-09
      * Sun Java System Web Server 6.0 without Service Pack 10
      * Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6
      * Sun Java System Web Server 6.1 2005 Q1 without patch 118202-10

    AIX Platform
      * Sun Java System Web Server 6.0 without Service Pack 10
      * Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6

    HP-UX Platform
      * Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
        without (native) patch 121514-01
      * Sun Java System Web Server 6.0 without Service Pack 10
      * Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6

    Windows Platform
      * Sun ONE Application Server 7 without Update 8
      * Sun Java System Application Server 7 2004 Q2 without Update 5
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file based) patch 119172-07 or (native) patch
        121528-01
      * Sun Java System Web Server 6.0 without Service Pack 10
      * Sun Java System Web Server 6.1 2005 Q1 without Service Pack 6

    To determine the version of Sun Java System Application Server on a
    system, the following command can be run:
     $ <AS_INSTALL>/bin/asadmin version --verbose
     Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129)

    (Where <AS_INSTALL> is the installation directory of the Application
    Server).

    To determine the version of Sun ONE Application Server on a system,
    the following command can be run:
     $ <WS-install>/https-<host>/start -version

    (Where <WS-install> is top installation directory of Web Server and
    <host> should be the actual host name on which the Web Server is
    installed).

3. Symptoms

    There are no reliable symptoms that would indicate the described
    issues have been exploited.

4. Relief/Workaround

    There is no workaround for this issue. Please see the Resolution
    section below.

5. Resolution

    This issue is addressed in the following releases:

    SPARC Platform
      * Sun ONE Application Server 7 with Update 8 or later
      * Sun Java System Application Server 7 2004 Q2 with Update 5 or
        later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119169-02 or (SVR4) patch
        119166-09 or later
      * Sun Java System Web Server 6.0 with Service Pack 10 or later
      * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
        later
      * Sun Java System Web Server 6.1 2005 Q1 with patch 116648-18 or
        later

    x86 Platform
      * Sun ONE Application Server 7 with Update 8 or later
      * Sun Java System Application Server 7 2004 Q2 with Update 5 or
        later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119170-02 or (SVR4) patch
        119167-09 or later
      * Sun Java System Web Server 6.0 with Service Pack 10 or later
      * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
        later
      * Sun Java System Web Server 6.1 2005 Q1 with patch 116649-18 or
        later

    Linux Platform
      * Sun ONE Application Server 7 with Update 8 or later
      * Sun Java System Application Server 7 2004 Q2 with Update 5 or
        later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119171-02 or (SVR4) patch
        119168-09 or later
      * Sun Java System Web Server 6.0 with Service Pack 10 or later
      * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
        later
      * Sun Java System Web Server 6.1 2005 Q1 with patch 118202-10 or
        later

    AIX Platform
      * Sun Java System Web Server 6.0 with Service Pack 10 or later
      * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
        later

    HP-UX Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (native) patch 121514-01 or later
      * Sun Java System Web Server 6.0 with Service Pack 10 or later
      * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
        later

    Windows Platform
      * Sun ONE Application Server 7 with Update 8 or later
      * Sun Java System Application Server 7 2004 Q2 with Update 5 or
        later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file based) patch 119172-07 or (native) patch
        121528-01 or later
      * Sun Java System Web Server 6.0 with Service Pack 10 or later
      * Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
        later

    Product Updates:

    Sun ONE Application Server 7 Update 8 can be found at:
    http://www.sun.com/download/products.xml?id=438cfb75

    Sun Java System Application Server 7 2004 Q2 Update 5 can be found at:
    http://www.sun.com/download/products.xml?id=44529a75

    Sun Java System Web Server 6.0 Service Pack 10 can be found at:
    http://www.sun.com/download/products.xml?id=43a84f89

    Sun Java System Web Server 6.1 Service Pack 6 can be found at:
    http://www.sun.com/download/products.xml?id=44989742

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================