=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN512
_____________________________________________________________________

DATE                      : 13/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sun Java System Identity Manager.

======================================================================
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-243386-1
______________________________________________________________________

Solution Type: Sun Alert
   Solution  243386 :   Multiple Security Vulnerabilities in Sun Java
   System Identity Manager
   Bug ID: N/A

Product

   Sun Java System Identity Manager 6.0
   Sun Java System Identity Manager 6.0 SP1
   Sun Java System Identity Manager 6.0 SP2
   Sun Java System Identity Manager 6.0 SP3
   Sun Java System Identity Manager 6.0 SP4
   Sun Java System Identity Manager 7.0
   Sun Java System Identity Manager 7.1

   Date of Resolved Release: 11-Nov-2008

Multiple Security Vulnerabilities in Sun Java System Identity Manager

1. Impact

   Sun Java System Identity Manager is affected by multiple security
   vulnerabilities with varying impacts.

   Cross-site Scripting (XSS) vulnerabilities may allow a local or remote
   unprivileged user the ability to execute unauthorized scripting code
   in a user's browser when that user clicks a link to Sun Java System
   Identity Manager.

   A certain vulnerability related to CSRF (Cross-site Request Forgery)
   may allow a local or remote unprivileged user to gain unauthorized
   access to the Administrator account.

   A further vulnerability may allow a local or remote unprivileged user
   to gain unauthorized access to certain files on the IDM server's
   filesystem.

   In addition, two further vulnerabilities may allow a local or remote
   unprivileged user to redirect the browser to unintended remote sites
   or to inject frames containing data from unintended sites.

   Sun would like to acknowledge with thanks, Richard Brain, Adrian
   Pastor and Jan Fry of ProCheckup Ltd. for bringing two of these issues
   to our attention.

2. Contributing Factors

   These issues can occur in the following releases (for all supported
   platforms):

     * Sun Java System Identity Manager 6.0 without patches 136848-02
       and 139081-01
     * Sun Java System Identity Manager 6.0 SP1 without patches
       136849-02 and 139082-01
     * Sun Java System Identity Manager 6.0 SP2 without patches
       136850-02 and 139083-01
     * Sun Java System Identity Manager 6.0 SP3 without patches
       136851-02 and 139084-01
     * Sun Java System Identity Manager 6.0 SP4 without patch
       139085-01
     * Sun Java System Identity Manager 7.0 without patches 136852-02
       and 139086-01
     * Sun Java System Identity Manager 7.1 without patches 136853-02
       and 139087-01

   Note: Identity Manager 8.0/8.1 is not affected by these issues.

   To determine the version of Sun Java System Identity Manager installed
   on a system, log in to the administrator console using a browser and
   hover the mouse pointer over the "Help" tab in the upper right portion
   of the masthead. The current version will be displayed similar to the
   following:

   Version Sun Java System Identity Manager 7.0 (20070523)

3. Symptoms

   There are no predictable symptoms that would indicate the described
   issues have been exploited.

4. Workaround

   There are no workarounds for these issues. Please see the Resolution
   section below.

5. Resolution

   These issues are addressed in the following releases (for all
   supported platforms):

     * Sun Java System Identity Manager 6.0 with patches 136848-02 or
       later and 139081-01 or later
     * Sun Java System Identity Manager 6.0 SP1 with patches
       136849-02 or later and 139082-01 or later
     * Sun Java System Identity Manager 6.0 SP2 with patches
       136850-02  or later and 139083-01 or later
     * Sun Java System Identity Manager 6.0 SP3 with patches
       136851-02 or later and 139084-01 or later
     * Sun Java System Identity Manager 6.0 SP4 with patch 139085-01
       or later
     * Sun Java System Identity Manager 7.0 with patches 136852-02 or
       later and 139086-01 or later
     * Sun Java System Identity Manager 7.1 with patches 136853-02 or
       later and 139087-01 or later

Notes:

   This release includes a 'security guard' feature to mitigate against
   certain types of vulnerabilities related to the session
   infrastructure. However, the feature is not enabled by default. The
   feature requires the use of cookies. If cookies are disabled for
   security reasons, it will not be possible to enable this feature as it
   will prevent the use of Identity Manager. There is no user-sensitive
   data present in the cookie being sent, and it only lives in memory
   during a user's session.

   To enable the security guard (in addtion to, and after patch
   installation), change the system configuration
   'security.csrfGuardToken.enable' to "true" using the IDE plugin.
   For more information on Security Sun Alerts, see Technical
   Instruction ID 213557.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================