=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN343
_____________________________________________________________________

DATE                      : 04/09/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sun Java Web Server.

======================================================================
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-266429-1
______________________________________________________________________

Solution Type: Sun Alert
Solution  266429 :   A Security Vulnerability in the Sun Java System
Web Server Related to Handling of Dynamic Content May Lead to
Unauthorized Information Disclosure
Bug ID: 6860680

Product:
Sun Java Web Server 6.1
Sun Java Web Server 7.0

Date of Workaround Release: 27-Aug-2009

SA Document Body
A Security Vulnerability in the Sun Java System Web Server Related to
Handling of Dynamic Content May Lead to Unauthorized Information Disclosure

1. Impact
A security vulnerability in the Sun Java System Web Server related to
handling of dynamic content may allow a remote unprivileged user to
gain access to sensitive information on a Windows system running the
Sun Java System Web Server application.
This issue is also referenced in the following document:

CVE-2009-2445 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2445

2. Contributing Factors
Windows Platform
  * Sun Java System Web Server 6.1 without Service Pack 12
  * Sun Java System Web Server 7.0 without patch 125441-17 for Update
    Release 6

Note: Sun Java System Web Server 6.1 and 7.0 running on non-Windows
platforms are not impacted by this issue.
Sun Java System Web Server 7.0 Update Release 6 can be downloaded
from:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-7.0U6-OTH-G-F@CDS-CDS_SMI

3. Symptoms
There are no predictable symptoms to indicate that this issue has been
exploited to gain unauthorized access to information.

4. Workaround
To work around the described issue, add the following mapping to the
"config/default-web.xml" file:

<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp::$DATA</url-pattern>
</servlet-mapping>

and then restart the Web Server by executing the following commands as
the 'root' user:
# <INSTALL-DIR>/admin-server/bin/stopserv
# <INSTALL-DIR>/admin-server/bin/startserv

where <INSTALL-DIR> is the path to the Sun Java System Web Server
installation directory.
Refer to the product documentation for more information on editing the
"default-web.xml" file.
Note: This workaround is valid only for Java Server Pages (JSP). There
is no workaround to avoid this issue with other dynamic content
provided by the Web Server.Refer to the product documentation for more
information on editing the "default-web.xml" file.

5. Resolution
A final resolution is pending completion.

For more information on Security Sun Alerts, see Technical
Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================