=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN541
_____________________________________________________________________

DATE                      : 06/12/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sun Java System Servers.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102733
      * Synopsis: Security Vulnerability With HTTP Requests in Sun Java
        System Server(s)
      * Category: Security
      * Product: Sun Java System Web Server 6.0 Service Pack 10, Sun Java
        System Application Server Platform Edition 8.1 2005Q1, Sun ONE
        Application Server 7, Enterprise Edition, Sun ONE Application
        Server 7, Standard Edition, Sun Java System Application Server
        Platform Edition 8.1 2005Q1 Update Release 1, Sun Java System Web
        Proxy Server 4.0, Sun Java System Web Server 6.1, Sun Java System
        Application Server Enterprise Edition 8.1 2005Q1, Sun Java System
        Web Proxy Server 3.6
      * BugIDs: 6300506, 6300510, 6289242, 6285847, 6286541, 6285724,
        6286783
      * Avoidance: Patch
      * State: Resolved
      * Date Released: 30-Nov-2006
      * Date Closed: 30-Nov-2006
      * Date Modified:

1. Impact

    If the Sun Java System Proxy Server is used in conjunction with the
    Sun Java System Application Server or the Sun Java System Web Server
    then it may be susceptible to "HTTP Request Smuggling" (HRS) which can
    allow remote unprivileged users to be able to poison web caches,
    hijack sessions, perform cross-site scripting (CSS or XSS) attacks or
    bypass web application firewall protection. Further information about
    HRS can be found at
    https://www.watchfire.com/securearea/whitepapers.aspx?id=12.

2. Contributing Factors

    This issue can occur in the following releases:

    SPARC Platform
      * Sun Java System Proxy Server 3.6 without Service Pack 8
      * Sun Java System Proxy Server 4.0 without Service Pack 1
      * Sun Java System Web Server 6.0 without Service Pack 10
      * Sun Java System Web Server 6.1 2005Q1 without Service Pack 5
      * Sun ONE Application Server 7 without Update 8
      * Sun Java System Application Server 7 2004Q2 witout Update 4
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119169-02 or (SVR4) patch
        119166-09
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file-based) patch 119173-01

    x86 Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119170-02 or (SVR4) patch
        119167-09
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file-based) patch 119174-01

    Linux Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119171-02 or (Pkg) patch
        119168-09
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file-based) patch 119175-01

    Windows Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file based) patch 119172-07 or (native) patch
        121528-01
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file based) patch 119176-01

    To determine the version of Sun Java System Application Server on a
    system, the following command can be run:
     $ <AS_INSTALL>/bin/asadmin version --verbose
     Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129)

    (Where <AS_INSTALL> is the installation directory of the Application
    Server).

    To determine the version of Sun ONE Application Server on a system,
    the following command can be run:
     $ <WS-install>/https-<host>/start -version

    (Where <WS-install> is top installation directory of Web Server and
    <host> should be the actual host name on which the Web Server is
    installed).

    To determine the version of Sun Java System Proxy Server on a system,
    the following command can be run:
     $ <PS_INSTALL>/bin/ns-proxy -v

    (Where <PS_INSTALL> is the installation directory of the Proxy
    Server).

3. Symptoms

    There are no reliable symptoms that would indicate the described issue
    has been exploited.

4. Relief/Workaround

    There is no workaround for this issue. Please see the Resolution
    section below.

5. Resolution

    This issue is addressed in the following releases:

    SPARC Platform
      * Sun Java System Proxy Server 3.6 Service Pack 8 or later
      * Sun Java System Proxy Server 4.0 Service Pack 1 or later
      * Sun Java System Web Server 6.0 Service Pack 10 or later
      * Sun Java System Web Server 6.1 2005Q1 Service Pack 5 or later
      * Sun ONE Application Server 7 Update 8 or later
      * Sun Java System Application Server 7 2004Q2 Update 4 or later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119169-02 or (SVR4) patch
        119166-09 or later
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file-based) patch 119173-01 or later

    x86 Platform
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file-based) patch 119174-01 or later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119170-02 or (SVR4) patch
        119167-09 or later

    Linux Platform
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file-based) patch 119175-01 or later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119171-02 or (Pkg) patch 119168-09
        or later

    Windows Platform
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file based) patch 119176-01 or later
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file based) patch 119172-07 or (native) patch
        121528-01

    Sun Java System Proxy Server 3.6 Service Pack 8 or later is available
    at:

    http://www.sun.com/download/products.xml?id=42fa5c49

    Sun Java System Proxy Server 4.0 Service Pack 1 or later is available
    at:

    http://www.sun.com/download/products.xml?id=4384b5dd

    Sun Java System Web Server 6.0 Service Pack 10 or later is available
    at:

    http://www.sun.com/download/products.xml?id=43a84f89

    Sun Java System Web Server 6.1 2005Q1 Service Pack 5 or later is
    available at:

    http://www.sun.com/download/products.xml?id=434aec1d

    http://www.sun.com/download/products.xml?id=43c43041
    (International Edition)

    Sun ONE Application Server 7 Update 8 or later is available at:

    http://www.sun.com/download/products.xml?id=438cfb75 (Platform
    Edition)

    http://www.sun.com/download/products.xml?id=438cf33d (Standard
    Edition)

    Sun Java System Application Server 7 2004Q2 Update 4 or later is
    available at:

    http://www.sun.com/download/products.xml?id=4331ff42 (Standard
    Edition)

    http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=8&PartDeta
    ilId=SJAS72004Q2U4-EE-OTH-G-ES (Enterprise Edition)

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================