---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Sun Java System Identity Manager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA32606 VERIFY ADVISORY: http://secunia.com/advisories/32606/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting WHERE: >From remote SOFTWARE: Sun Java System Identity Manager 6.x http://secunia.com/advisories/product/17149/ Sun Java System Identity Manager 7.x http://secunia.com/advisories/product/17150/ DESCRIPTION: Some vulnerabilities have been reported in Sun Java System Identity Manager, which can be exploited by malicious people to conduct cross-site scripting attacks and to bypass certain security restrictions. 1) Unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) An unspecified vulnerability related to cross-site request forgery can be exploited to gain unauthorised access to the Administrator account. 3) An unspecified vulnerability can be exploited to gain unauthorised access to certain files on the IDM server's file system. 4) An unspecified vulnerability can be exploited to inject arbitrary content in frames. NOTE: An unspecified redirection issue has also been reported. The vulnerabilities are related to: SA28356 The vulnerabilities are reported in Sun Java System Identity Manager 6.0 (including SP1, SP2, SP3, and SP4), 7.0, and 7.1. SOLUTION: Apply patches. Sun Java System Identity Manager 6.0: Apply patches 136848-02 or later and 139081-01 or later. Sun Java System Identity Manager 6.0 SP1: Apply patches 136849-02 or later and 139082-01 or later. Sun Java System Identity Manager 6.0 SP2: Apply patches 136850-02 or later and 139083-01 or later. Sun Java System Identity Manager 6.0 SP3: Apply patches 136851-02 or later and 139084-01 or later. Sun Java System Identity Manager 6.0 SP4: Apply patch 139085-01 or later. Sun Java System Identity Manager 7.0: Apply patches 136852-02 or later and 139086-01 or later. Sun Java System Identity Manager 7.1: Apply patches 136853-02 or later and 139087-01 or later. PROVIDED AND/OR DISCOVERED BY: The vendor credits Richard Brain, Adrian Pastor and Jan Fry of ProCheckup Ltd. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-66-243386-1 OTHER REFERENCES: SA28356: http://secunia.com/advisories/28356/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------