Feeds

Hole in Sun ONE

Boggy

  • alert
  • submit to reddit

Intelligent flash storage arrays

A potentially serious vulnerability in Sun ONE Application Server creates a mechanism for crackers to run malicious code on Web servers.

A flaw in the NSAPI Connector Module, which connects a Sun ONE Application Server to Sun ONE Web Server (formerly iPlanet Enterprise Server), leaves the door open to stack buffer overflow attacks, security firm @stake warned last week.

In common with buffer overflow attacks, the flaw creates a way for crackers to create a malformed request that crashes a server and overwrite sensitive locations in memory with arbitrary code, where it might subsequently be executed.

Even though this exploit is yet to be coded up in a script-kiddie friendly exploit, sysadmins are urged to guard against the flaw.

The issue affects Sun ONE Application Server version 6.5 and earlier.

Sun ONE Application Server 6.5 SP1, available here, fixes the problem for users running the latest version of the software.

A fix for version 6.0 is not currently available. However @stake suggests a workaround designed to to verify the lengths of HTTP requests, as well as other mitigation strategies (explained in more detail in its advisory here). ®

External Links

Overview of the problem (from BugTraq)

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.