Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-220: Sun Java System Access Manager Debug Files Local Information Disclosure Vulnerability

August 28, 2009 13:00 GMT
PROBLEM: Sun Java System Access Manager is prone to a local information-disclosure vulnerability.
PLATFORM: Sun Java System Access Manager 6 2005Q1 Sun Java System Access Manager 7 2005Q4 Sun Java System Access Manager 7.1 OpenSSO Enterprise 8.0
ABSTRACT: A security vulnerability in Sun Java System Access Manager may disclose clear text passwords in debug files when the debug flag is enabled.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-220.shtml
  OTHER LINKS: Security Focus Website
http://www.securityfocus.com/bid/35963/info
Sun Website
http://sunsolve.sun.com/search/document.do?assetkey=1-66-256668-1

IMPACT ASSESSMENT: This risk is medium. Attackers can exploit this issue to obtain potentially sensitive information that may aid in further attacks. 
Discussion:
A security vulnerability in Sun Java System Access Manager may disclose clear text passwords in debug files when the debug flag is enabled. This would allow a local unprivileged user to gain unauthorized access to user identities which are managed by Sun Java System Access Manager.

This issue can occur in the following releases:

SPARC Platform:

    * Sun Java System Access Manager 6.3 2005Q1 (for Solaris 8, 9 and 10) without patch 119465-16
    * Sun Java System Access Manager 7.0 2005Q4 (for Solaris 8, 9 and 10) without patch 120954-10
    * Sun Java System Access Manager 7.1 (for Solaris 8, 9 and 10) without patch 126356-03

x86 Platform:

    * Sun Java System Access Manager 6.3 2005Q1 (for Solaris 8, 9 and 10) without patch 119465-16
    * Sun Java System Access Manager 7.0 2005Q4 (for Solaris 9 and 10) without patch 120955-10
    * Sun Java System Access Manager 7.1 (for Solaris 8, 9 and 10) without patch 126357-03

Linux:

    * Sun Java System Access Manager 6.3 2005Q1 without patch 119502-16
    * Sun Java System Access Manager 7.0 2005Q4 without patch 120956-10
    * Sun Java System Access Manager 7.1 without patch 126358-03

Windows:

    * Sun Java System Access Manager 7.0 2005Q4 without patch 124296-10
    * Sun Java System Access Manager 7.1 without patch 126359-03

HP-UX:

    * Sun Java System Access Manager 7.0 2005Q4 without patch 126371-10

Other:

    * Sun Java System Access Manager 7.1 WAR file-based installation (all platforms) without patch 140504-03
    * OpenSSO Enterprise 8.0 (for all supported platforms) without patch 141655-01

Note: This issue only affects the Sun Java System Access Manager if the "com.iplanet.services.debug.level" property is set to "message" in the AMConfig.properties configuration file. For example:

    com.iplanet.services.debug.level=message

This property is not set to "message" by default.

To determine if Sun Java System Access Manager is installed, the following command can be run on a Solaris system :

% pkginfo -l SUNWamsvc || echo "Sun Java System Access Manager is not installed"
    PKGINST:  SUNWamsvc
       NAME:  Sun Java System Access Manager Services
   CATEGORY:  application
       ARCH:  all
    VERSION:  7.1,REV=06.12.19.15.12

To determine the version of Sun Java System Access Manager on other systems, the following command can be run

$ /bin/amadmin --version
Sun Java System Access Manager 7.1

where  is the installation directory of the Sun Java System Access Manager.

Workaround:
To work around the described issue, the "com.iplanet.services.debug.level" property can be set to an alternate value such as "error" in the AMConfig.properties configuration file. For example:

com.iplanet.services.debug.level=error

Solution:
This issue is addressed in the following releases:

SPARC Platform:

    * Sun Java System Access Manager 6.3 2005Q1 (for Solaris 8, 9 and 10) with patch 119465-16 or later
    * Sun Java System Access Manager 7.0 2005Q4 (for Solaris 8, 9 and 10) with patch 120954-10 or later
    * Sun Java System Access Manager 7.1 (for Solaris 8, 9 and 10) with patch 126356-03 or later

x86 Platform:

    * Sun Java System Access Manager 6.3 2005Q1 (for Solaris 8, 9 and 10) with patch 119465-16 or later
    * Sun Java System Access Manager 7.0 2005Q4 (for Solaris 9 and 10) with patch 120955-10 or later
    * Sun Java System Access Manager 7.1 (for Solaris 8, 9 and 10) with patch 126357-03 or later

Linux:

    * Sun Java System Access Manager 6.3 2005Q1 with patch 119502-16 or later
    * Sun Java System Access Manager 7.0 2005Q4 with patch 120956-10 or later
    * Sun Java System Access Manager 7.1 with patch 126358-03 or later

Windows:

    * Sun Java System Access Manager 7.0 2005Q4 with patch 124296-10 or later
    * Sun Java System Access Manager 7.1 with patch 126359-03 or later

HP-UX:

    * Sun Java System Access Manager 7.0 2005Q4 with patch 126371-10 or later

Other: 

    * Sun Java System Access Manager 7.1 WAR file-based installation (all platforms) with patch 140504-03 or later
    * OpenSSO Enterprise 8.0 (for all supported platforms) with patch 141655-01 or later
DOE-CIRC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788