Deutsch Privacy Policy Contact About this Website T-Systems
T-Systems T-Systems
Home Home SSL Home
Mission
Fees
Trial offer Trial offer SSL Trial offer
Example message
Order
Kontakt
Customer Corner
Messages
Nr.
Search
Forum
Events
Administration
Statistic
Beispielmeldung
Title
Sun Java System Directory Server: Vulnerability allows Denial-of-Service Attack


Date 2007-03-26


State 2007-05-04


Operating System(s)
Unix
Microsoft Windows


Software
Sun Java System Directory Server 5.1 Service Pack 3,
Sun Java System Directory Server 5.2,
Sun Java System Directory Server Enterprise Edition


Attack
A remote anonymous attacker can exploit a vulnerability in Sun Java System Directory Server to launch a denial-of-service attack.


Description
The Sun Java system directory server (LDAP) offers high-available, scalable and safe directories services.

A vulnerability exists in the Sun Java System Directory Server "ns-sldap". It is located in the "clean-up" code for some types of failed queries. By exploiting the vulnerability, it is possible for an attacker to cause the server to call the "free()" function on an address obtained from uninitialized memory. This may result in an invalid memory reference leading to a denial-of-service condition.

An attacker can exploit this vulnerability to launch a denial-of-service attack.


Risk*
Probability of an attack: MEDIUM-HIGH
Possible damage: MEDIUM


Recommendation
This issue has not yet been resolved. Knowledge of this vulnerability is the only defense at this point.

2007-05-04
Sun provides updates and hotfixes. Please update your installation and consult the vendor's advisory to find the version suitable for your environment:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-102853


Information
Sun Alert Notification Alert-ID 102853 dated 2007-03-23:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-102853-1

2007-05-04
Sun Alert Notification Alert-ID 102853 Update dated 2007-05-04:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-102853


Reference
http://cve.mitre.org/cgi-bin/
cvename.cgi?name=CVE-2006-4175

http://sunsolve.sun.com/search/
document.do?assetkey=102853-1


-----------------------------------------------------
*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirecte consequences of an attack for business processes. T-Systems assumes worst case scenarios.

Copyright © 1999-2007 by T-Systems.
All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. T-Systems can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.