Multiple vulnerabilities have been identified in Sun Java System Identity Manager, which could be exploited by attackers or malicious users to bypass security restrictions, gain knowledge of sensitive information, manipulate data, or compromise a vulnerable system. These issues are caused by unspecified errors when processing user-supplied data or requests, which could allow attackers to gain unauthorized access to data being transferred between clients and the server, determine the existence of valid account names, execute arbitrary scripting code, execute arbitrary commands on Unix/Linux based resource adapters, modify system configuration data, or by malicious users to change the password of other accounts, perform some actions with additional capabilities than those assigned, or submit arbitrary commands to the Admin Console and perform administrative actions (e.g. creating accounts).

Affected Products

Sun Java System Identity Manager version 7.0
Sun Java System Identity Manager version 7.1
Sun Java System Identity Manager version 7.1.1
Sun Java System Identity Manager version 8.0

Solution

Sun Java System Identity Manager 7.0 - Apply patch 140935-01
Sun Java System Identity Manager 7.1 - Apply patch 140936-01
Sun Java System Identity Manager 7.1.1 - Apply patch 137621-11
Sun Java System Identity Manager 8.0 - Apply patch 139010-06

References

http://www.vupen.com/english/advisories/2009/0797
http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1

Credits

Vulnerabilities reported by Dan Sinclair (Security Compass), ProCheckUp Ltd, Alexandre Bezroutchko (Scanit), and Marco Mella.

Changelog

2009-03-23 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.