The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Sun Web Proxy

vulnerability note CVE-2011-3389 CVE-2012-1870

SSL, TLS: obtaining HTTPS Cookies, BEAST

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies.
Impacted products: Asterisk Open Source, IPSO, SecurePlatform, CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Domino, Mandriva Linux, IIS, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, openSUSE, Opera, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, SSL protocol, RHEL, Sun AS, SUSE Linux Enterprise Desktop, SLES, Nessus.
Severity: 1/4.
Consequences: data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 26/09/2011.
Identifiers: 2588513, 2643584, 2655992, AST-2016-001, BID-49778, BID-54304, c03122753, CERTA-2012-AVI-381, CERTFR-2016-AVI-046, CVE-2004-2770-REJECT, CVE-2011-3389, CVE-2012-1870, DSA-2368-1, DSA-2398-1, DSA-2398-2, FEDORA-2012-5916, FEDORA-2012-5924, FEDORA-2012-9135, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02730, javacpuoct2011, MDVSA-2012:058, MDVSA-2012:096, MDVSA-2012:096-1, MDVSA-2012:097, MS12-006, MS12-049, openSUSE-SU-2012:0030-1, openSUSE-SU-2012:0063-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, openSUSE-SU-2012:0667-1, RHSA-2012:0034-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk74100, sk86440, SOL13400, SSRT100710, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, swg21568229, VIGILANCE-VUL-11014, VU#864643.

Description of the vulnerability

The SSL/TLS protocol supports CBC (Cipher Block Chaining) encryption: a clear block is "XORed" (operation Exclusive OR) with the last encrypted block, and the result is encrypted. This dependence between a block and its previous block was the subject of several theoretical studies since 2002, and led to the definition of TLS 1.1 in 2006, which uses a different algorithm.

The HTTPS "protocol", used by web browsers, encapsulates an HTTP session in a SSL/TLS session. An HTTP query is like:
  GET /abcdefg HTTP/1.0
  Headers (cookies)
  ...
This query is fragmented in blocks of 8 bytes, which are encrypted by CBC. The first block is thus "GET /abc".

An attacker can setup a malicious web site, and invite the victim to connect. This web site can request the victim's web browser to load the page "/abcdefg" of a site secured by SSL/TLS.

The attacker controls the size of the requested url (via "/abcdefg"), so he can place the first byte of headers at the end of a block (the 7 other bytes are known: "P/1.1\r\n"). This blocks follows a block which is fully known ("defg HTT"). The attacker can then capture the encrypted SSL/TLS session, and memorize the last encrypted block. This block is used as an initialization vector to compute an XOR between "defg HTT" (block 2) encrypted, and a guessed character located at the end of "P/1.1\r\n" (block 3). The result is reinjected by the attacker at the end of the HTTP query in clear text. He captures the resulting encrypted block, and if it is the same as the third encrypted block, then the guessed character was correct. The attacker repeats these queries as many times as necessary.

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can therefore use several SSL sessions in order to compute HTTP headers, such as cookies.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-2385

Sun Web Proxy Server: vulnerability of July 2010

Synthesis of the vulnerability

An attacker can use a vulnerability of the Administration Server of Sun Java System Web Proxy Server, in order to obtain information or to alter information.
Impacted products: Oracle iPlanet Web Proxy Server.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 15/07/2010.
Identifiers: BID-41618, cpujul2010, CVE-2010-2385, VIGILANCE-VUL-9762.

Description of the vulnerability

An attacker can use a vulnerability of the Administration Server of Sun Java System Web Proxy Server, in order to obtain information or to alter information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-0388

Sun Web Server: format string attack of WebDAV

Synthesis of the vulnerability

When WebDAV is enabled on Sun Java System Web Server, an attacker can use malicious XML data, in order to generate a format string attack, leading to a denial of service or to code execution.
Impacted products: Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 22/01/2010.
Identifiers: 275850, 6916390, BID-37910, CVE-2010-0388, VIGILANCE-VUL-9377.

Description of the vulnerability

The WebDAV extension adds the PROPFIND method to the HTTP protocol, in order to obtain properties of a path. For example:
  PROPFIND /path HTTP/1.1
  [...]
  <?xml version="1.0" encoding="iso-8859-1"?>
    <a:propfind xmlns:a="DAV:">
    <a:prop><a:getcontenttype/></a:prop>
  </a:propfind>

However, if the encoding of XML data contains format parameters, they are directly interpreted.

When WebDAV is enabled on Sun Java System Web Server, an attacker can therefore use malicious XML data, in order to generate a format string attack, leading to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-0387

Sun Web Server: buffer overflow via Digest

Synthesis of the vulnerability

An attacker can use a long Digest authentication, in order to generate a buffer overflow, leading to a denial of service or to code execution.
Impacted products: Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 21/01/2010.
Identifiers: 275850, 6916391, 6917212, BID-37896, CVE-2010-0387, VIGILANCE-VUL-9372.

Description of the vulnerability

When the HTTP Digest authentication is enabled on Sun Java System Web Server, it returns to the client:
  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Digest
     realm="realm@server" ...
The web browser then asks user for his login and password, then replies back with:
  Authorization: Digest username="my_user_name",
     realm="realm@server" ...

However, if data after Digest are too long, a buffer overflow occurs.

An attacker can therefore use a long Digest authentication, in order to generate a buffer overflow, leading to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-0361

Sun Web Server: buffer overflow via WebDAV

Synthesis of the vulnerability

When WebDAV is enabled on Sun Java System Web Server, an attacker can use a long url, in order to generate a buffer overflow, leading to a denial of service or to code execution.
Impacted products: Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 21/01/2010.
Identifiers: 275850, 6916389, BID-37874, CVE-2010-0361, VIGILANCE-VUL-9371.

Description of the vulnerability

The WebDAV extension is used to edit files hosted on Sun Java System Web Server.

A WebDAV query for example uses the OPTIONS method of the HTTP protocol:
  OPTIONS /webdav_directory/file HTTP/1.0

However, if the file name is too long, a buffer overflow occurs.

When WebDAV is enabled on Sun Java System Web Server, an attacker can therefore use a long url, in order to generate a buffer overflow, leading to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-0360

Sun Web Server: memory corruption via TRACE

Synthesis of the vulnerability

An attacker can use the HTTP TRACE method, in order to overwrite or to read the memory content.
Impacted products: Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Creation date: 19/01/2010.
Identifiers: 101176, 200171, 275850, 6916392, 6917211, CVE-2010-0360, VIGILANCE-VUL-9358.

Description of the vulnerability

The HTTP TRACE method is used to echo back an HTTP request, which can go through several proxies. For example:
  TRACE / HTTP/1.0
  Header1: value
  [empty line]
  HTTP/1.1 200 OK
  Connection: close
  Content-Type: message/http
  [below, the request is returned to the web client]
  TRACE / HTTP/1.0
  Header1: value
The HTTP TRACE method is enabled by default on Sun Java System Web Server.

However, if the size of header names is only one byte, an overflow occurs in Sun Java System Web Server.

This error:
 - either generates a memory corruption, leading to a denial of service or to code execution
 - either forces the web server to return to the web client data coming from its memory, which may be sensitive
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-3555

TLS, OpenSSL, GnuTLS: vulnerability of the renegotiation

Synthesis of the vulnerability

A remote attacker can use a vulnerability of TLS in order to insert plain text data during a renegotiation via a man-in-the-middle attack.
Impacted products: Apache httpd, ArubaOS, BES, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco CSS, IOS by Cisco, IOS XR Cisco, IronPort Email, IronPort Management, Cisco Router, Secure ACS, Cisco CallManager, Cisco CUCM, Cisco IP Phone, WebNS, XenApp, XenDesktop, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FortiOS, FreeBSD, HP-UX, AIX, WebSphere AS Traditional, IVE OS, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, Juniper SA, Mandriva Linux, Mandriva NF, IIS, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, NSS, NetBSD, NetScreen Firewall, ScreenOS, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Oracle Directory Server, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Trusted Solaris, ProFTPD, SSL protocol, RHEL, Slackware, Sun AS, SUSE Linux Enterprise Desktop, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 10/11/2009.
Identifiers: 1021653, 111046, 273029, 273350, 274990, 6898371, 6898539, 6898546, 6899486, 6899619, 6900117, 977377, AID-020810, BID-36935, c01945686, c01963123, c02079216, CERTA-2011-ALE-005, CERTFR-2017-AVI-392, cisco-sa-20091109-tls, CTX123248, CTX123359, CVE-2009-3555, DSA-1934-1, DSA-2141-1, DSA-2141-2, DSA-2141-4, DSA-2626-1, DSA-3253-1, FEDORA-2009-12229, FEDORA-2009-12305, FEDORA-2009-12606, FEDORA-2009-12750, FEDORA-2009-12775, FEDORA-2009-12782, FEDORA-2009-12968, FEDORA-2009-13236, FEDORA-2009-13250, FEDORA-2010-1127, FEDORA-2010-3905, FEDORA-2010-3929, FEDORA-2010-3956, FEDORA-2010-5357, FEDORA-2010-8742, FEDORA-2010-9487, FEDORA-2010-9518, FG-IR-17-137, FreeBSD-SA-09:15.ssl, HPSBUX02482, HPSBUX02498, HPSBUX02517, KB25966, MDVSA-2009:295, MDVSA-2009:323, MDVSA-2009:337, MDVSA-2010:069, MDVSA-2010:076, MDVSA-2010:076-1, MDVSA-2010:089, MDVSA-2013:019, NetBSD-SA2010-002, openSUSE-SU-2010:1025-1, openSUSE-SU-2010:1025-2, openSUSE-SU-2011:0845-1, PM04482, PM04483, PM04534, PM04544, PM06400, PSN-2011-06-290, PSN-2012-11-767, RHSA-2009:1579-02, RHSA-2009:1580-02, RHSA-2010:0011-01, RHSA-2010:0119-01, RHSA-2010:0130-01, RHSA-2010:0155-01, RHSA-2010:0162-01, RHSA-2010:0163-01, RHSA-2010:0164-01, RHSA-2010:0165-01, RHSA-2010:0166-01, RHSA-2010:0167-01, SOL10737, SSA:2009-320-01, SSA:2010-067-01, SSRT090249, SSRT090264, SSRT100058, SUSE-SA:2009:057, SUSE-SA:2010:020, SUSE-SR:2010:008, SUSE-SR:2010:012, SUSE-SR:2011:008, SUSE-SU-2011:0847-1, TLSA-2009-30, TLSA-2009-32, VIGILANCE-VUL-9181, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3, VU#120541.

Description of the vulnerability

Transport Layer Security (TLS) is a cryptographic protocol for network transport.

When opening a connection using TLS, a negotiation mechanism allows the client and server to agree on the encryption algorithm to use.

The protocol allows for renegotiation at any time during the connection. However, the handling of those renegotiations has a vulnerability.

A remote attacker can therefore exploit this vulnerability in order to insert plain text data via a man-in-the-middle attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-3087 CVE-2009-3094 CVE-2009-3095

Several products: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in numerous products.
Impacted products: Apache httpd, OpenOffice, NetWorker, F-PROT AV, FreeBSD, OpenView, OpenView NNM, OpenView Operations, HP Operations, Domino, Kaspersky AV, MySQL Community, MySQL Enterprise, OpenSolaris, OpenSSL, Oracle AS, Oracle Directory Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, WebLogic, Percona Server, Samba, Crystal Reports, SAP ERP, NetWeaver, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 04/09/2009.
Revisions dates: 11/09/2009, 26/10/2009.
Identifiers: BID-36242, BID-36243, BID-36248, BID-36250, BID-36252, BID-36253, BID-36254, BID-36257, BID-36258, BID-36263, BID-36267, BID-36285, BID-36286, BID-36813, BID-36818, BID-36819, BID-37640, CERTA-2009-AVI-384, CERTA-2009-AVI-424, CVE-2009-3087, CVE-2009-3094, CVE-2009-3095, CVE-2009-3098, CVE-2009-3099, CVE-2009-3111, CVE-2009-3344, CVE-2009-3345, CVE-2009-3346, CVE-2009-3569, CVE-2009-3570, CVE-2009-3571, CVE-2009-3878, CVE-2009-4481-REJECT, CVE-2009-4484, VIGILANCE-VUL-9000.

Description of the vulnerability

Several vulnerabilities were announced in numerous products. Their technical details are unknown. Individual bulletins will be created when details will be published.

Apache mod_proxy_ftp is impacted by two vulnerabilities: VIGILANCE-VUL-8994 and VIGILANCE-VUL-9038. [severity:1/4; BID-36254, CERTA-2009-AVI-424, CVE-2009-3094, CVE-2009-3095]

EMC Legato NetWorker is impacted by three vulnerabilities. [severity:1/4]

F-PROT Antivirus is impacted by two vulnerabilities. [severity:1/4]

FreeBSD is impacted by two vulnerabilities. [severity:1/4]

FreeRADIUS is impacted by the VIGILANCE-VUL-9016 vulnerability. [severity:1/4; BID-36263, CERTA-2009-AVI-384, CVE-2009-3111, CVE-2009-4481-REJECT]

HP Operations is impacted by two vulnerabilities. [severity:1/4; BID-36253, BID-36258, CVE-2009-3098, CVE-2009-3099]

HP OpenView Network Node Manager is impacted by four vulnerabilities. [severity:1/4; BID-36248]

Lotus Domino is impacted by six vulnerabilities. [severity:1/4; BID-36257, CVE-2009-3087]

Kaspersky Online Antivirus Scanner is impacted by two vulnerabilities. One vulnerability is related to kos-bin-winnt.jar containing the kosglue-7.0.26.0.dll DLL which can contain a Trojan Horse. [severity:1/4; BID-36243]

MySQL is impacted by two vulnerabilities. The first one is VIGILANCE-VUL-9380. [severity:1/4; BID-36242, BID-37640, CVE-2009-4484]

OpenOffice is impacted by three vulnerabilities. [severity:1/4; BID-36285, CVE-2009-3569, CVE-2009-3570, CVE-2009-3571]

OpenSSL is impacted by one vulnerability. [severity:1/4]

Oracle WebLogic is impacted by three vulnerabilities. [severity:1/4]

Oracle Application Server is impacted by five vulnerabilities. [severity:1/4]

PowerArchiver is impacted by one vulnerability. [severity:1/4]

SAP Crystal Reports is impacted by three vulnerabilities. [severity:1/4; BID-36267, CVE-2009-3344, CVE-2009-3345, CVE-2009-3346]

SAP NetWeaver is impacted by six vulnerabilities. [severity:1/4; BID-36252]

Samba is impacted by six vulnerabilities. [severity:1/4; BID-36250]

Sun Java System Directory Server is impacted by two vulnerabilities. [severity:1/4; BID-36286]

Sun Java System Web Proxy Server is impacted by one vulnerability. [severity:1/4]

Solaris is impacted by one vulnerability. [severity:1/4]

Sun Java System WebServer is impacted by one vulnerability. [severity:1/4; BID-36813, CVE-2009-3878]

Solaris is impacted by two vulnerabilities. [severity:1/4; BID-36818, BID-36819]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 8215

Sun Web Proxy Server: buffer overflow of Vary/Via

Synthesis of the vulnerability

An attacker can use malicious headers in order to execute code in Sun Java System Web Proxy Server.
Impacted products: Oracle iPlanet Web Proxy Server.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 03/11/2008.
Identifiers: 126325, 242986, 6707473, VIGILANCE-VUL-8215.

Description of the vulnerability

The HTTP protocol defines two headers used by proxies:
 - Vary: this reply header indicates query headers that are used to generate the reply (if the query uses the same headers, the cache can return the previous reply)
 - Via: this header indicates intermediate proxies

However, Sun Java System Web Proxy Server does not correctly handle the size of these headers, which creates a buffer overflow.

An attacker can therefore setup a malicious web server, and then invite the victim to connect through the proxy, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2008-4541

Sun Web Proxy Server: buffer overflow of FTP

Synthesis of the vulnerability

An attacker can execute code in the FTP proxy of Sun Java System Web Proxy Server.
Impacted products: Oracle iPlanet Web Proxy Server.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 10/10/2008.
Revision date: 15/10/2008.
Identifiers: 242986, 6707473, BID-31691, CVE-2008-4541, VIGILANCE-VUL-8160.

Description of the vulnerability

The Sun Java System Web Proxy Server product has proxy for FTP:
 - the internal user enters "ftp://site/" in his web browser
 - the web browser connects to the proxy and sends "GET ftp://site/ HTTP/1.0"
 - the proxy connects to the "site" FTP server

However, if the GET query is too long, a buffer overflow occurs in the FTP proxy.

An attacker, allowed to query the proxy, can thus execute code on the proxy server.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Sun Web Proxy: