=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN178
_____________________________________________________________________

DATE                      : 13/05/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sun GlassFish Enterprise Server,
                               Sun Java System Application Server.

======================================================================
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-258528-1
______________________________________________________________________
Solution Type: Sun Alert
Solution  258528 :   Cross-Site Scripting (XSS) Vulnerabilities in Sun
GlassFish Enterprise Server and Sun Java System Application Server May
Allow Execution of JavaScript Code
Bug ID: 6820994, 6717148

Product
Sun GlassFish Enterprise Server v2.1
Sun Java System Application Server Platform Edition 9.1

Date of Workaround Release: 11-May-2009

SA Document Body
Cross-Site Scripting (XSS) Vulnerabilities in Sun GlassFish Enterprise
Server and Sun Java System Application Server May Allow Execution of
JavaScript Code

1. Impact
Cross-Site Scripting (XSS) vulnerabilities in Sun GlassFish Enterprise
Server and Sun Java System Application Server within the
Administration Interface may allow a remote unprivileged user to
execute Java Script within an authenticated user's browser sesssion.
These vulnerabilities can lead to various impacts, including theft of
sensitive information (such as cookie information), access to user
credentials, or the hijacking of sessions.
Sun acknowledges with thanks, Digital Security Research Group for
bringing BugID 6820994 issue to our attention.

2. Contributing Factors
These issues can occur in the following releases:
For customers with a valid support contract :
   SPARC Platform
     * Sun GlassFish Enterprise Sever 2.1 with HADB (Package Based)
     * Sun GlassFish Enterprise Sever 2.1 with HADB without patch
       128643-10
     * Sun GlassFish Enterprise Sever 2.1 without patch 128647-10
     * Sun Java System Application Server 9.1U2 with HADB (Package Based)
       without patch 128640-10
     * Sun Java System Application Server 9.1U2 with HADB without patch
       128643-10
     * Sun Java System Application Server 9.1U2 without patch
       128647-10

   x86 Platform
     * Sun GlassFish Enterprise Sever 2.1 with HADB (Package Based)
     * Sun GlassFish Enterprise Sever 2.1 with HADB without patch
       128644-10
     * Sun GlassFish Enterprise Sever 2.1 without patch 128648-10
     * Sun Java System Application Server 9.1U2 with HADB (Package Based)
       without patch 128641-10
     * Sun Java System Application Server 9.1U2 with HADB without patch
       128644-10
     * Sun Java System Application Server 9.1U2 without patch
       128648-10

   Linux
     * Sun GlassFish Enterprise Sever 2.1 with HADB (Package Based)
     * Sun GlassFish Enterprise Sever 2.1 with HADB without patch
       128645-10
     * Sun GlassFish Enterprise Sever 2.1 without patch 128649-10
     * Sun Java System Application Server 9.1U2 with HADB (Package Based)
       without patch 128642-10
     * Sun Java System Application Server 9.1U2 with HADB without patch
       128645-10
     * Sun Java System Application Server 9.1U2 without patch
       128649-10

   Windows
     * Sun GlassFish Enterprise Sever 2.1 with HADB without patch
       128646-10
     * Sun GlassFish Enterprise Sever 2.1 without patch 128650-10
     * Sun Java System Application Server 9.1U2 with HADB without patch
       128646-10
     * Sun Java System Application Server 9.1U2 without patch
       128650-10

   AIX
     * Sun GlassFish Enterprise Sever 2.1 without patch 137916-09
     * Sun Java System Application Server 9.1U2 without patch
       137916-09

   For customers without a valid support contract:
   SPARC Platform
     * Sun GlassFish Enterprise Sever 2.1 with HADB (Package Based)
     * Sun GlassFish Enterprise Sever 2.1 with HADB
     * Sun GlassFish Enterprise Sever 2.1

   x86 Platform
     * Sun GlassFish Enterprise Sever 2.1 with HADB (Package Based)
     * Sun GlassFish Enterprise Sever 2.1 with HADB
     * Sun GlassFish Enterprise Sever 2.1

   Linux
     * Sun GlassFish Enterprise Sever 2.1 with HADB (Package Based)
     * Sun GlassFish Enterprise Sever 2.1 with HADB
     * Sun GlassFish Enterprise Sever 2.1

   Windows
     * Sun GlassFish Enterprise Sever 2.1 with HADB
     * Sun GlassFish Enterprise Sever 2.1

   AIX
     * Sun GlassFish Enterprise Sever 2.1

Note: Sun Java System Application Server 8.x and 9.0 are not affected
      by this issue. To determine the version of Sun GlassFish Enterprise
      Server or Sun Java System Application Server on a system, the
      following command can be run:
         $ <AS-install>/bin/asadmin -version

      (Where <AS-install> is the installation directory of the Application
      Server).

3. Symptoms
There are no predictable symptoms that would indicate the described
issues have been exploited.

4. Workaround
There are no workarounds for these issues.

5. Resolution
These issues are addressed in the following releases:
For customers with a valid support contract:
   SPARC Platform
     * Sun GlassFish Enterprise Sever 2.1 with HADB with patch
       128643-10 or later
     * Sun GlassFish Enterprise Sever 2.1 with patch 128647-10 or
       later
     * Sun Java System Application Server 9.1U2 with HADB (Package Based)
       with patch 128640-10 or later
     * Sun Java System Application Server 9.1U2 with HADB with patch
       128643-10 or later
     * Sun Java System Application Server 9.1U2 with patch 128647-10
       or later

   x86 Platform
     * Sun GlassFish Enterprise Sever 2.1 with HADB with patch
       128644-10 or later
     * Sun GlassFish Enterprise Sever 2.1 with patch 128648-10 or
       later
     * Sun Java System Application Server 9.1U2 with HADB (Package Based)
       with patch 128641-10 or later
     * Sun Java System Application Server 9.1U2 with HADB with patch
       128644-10 or later
     * Sun Java System Application Server 9.1U2 with patch 128648-10
       or later

   Linux
     * Sun GlassFish Enterprise Sever 2.1 with HADB with patch
       128645-10 or later
     * Sun GlassFish Enterprise Sever 2.1 with patch 128649-10 or
       later
     * Sun Java System Application Server 9.1U2 with HADB (Package Based)
       with patch 128642-10 or later
     * Sun Java System Application Server 9.1U2 with HADB with patch
       128645-10 or later
     * Sun Java System Application Server 9.1U2 with patch 128649-10
       or later

   Windows
     * Sun GlassFish Enterprise Sever 2.1 with HADB with patch
       128646-10 or later
     * Sun GlassFish Enterprise Sever 2.1 with patch 128650-10 or
       later
     * Sun Java System Application Server 9.1U2 with HADB with patch
       128646-10 or later
     * Sun Java System Application Server 9.1U2 with patch 128650-10
       or later

   AIX
     * Sun GlassFish Enterprise Sever 2.1 with patch 137916-09 or
       later
     * Sun Java System Application Server 9.1U2 with patch 137916-09
       or later

A final resolution is pending completion (for customers without a
valid support contract).
For more information on Security Sun Alerts, see Technical
Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================