Sun ONE Vulnerability Comes to Light | eWeek

Sun ONE Vulnerability Comes to Light

Écrit par
Dennis Fisher
Dennis Fisher
Mar 13, 2003
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Security researchers have discovered a vulnerability in Sun Microsystems Inc.s Sun ONE Application Server that can give an attacker control over the Web server.

The vulnerability, found by researchers at @stake Inc., in Cambridge, Mass., is a stack buffer overflow in the Connector Module. The module, which ships with the Application Server, is a Netscape API plugin that integrates the Sun ONE Web Server with the Application Server.

The module uses a static buffer to handle the incoming request URI (Universal Resource Identifier). All an attacker needs to do to exploit this flaw is send an overly long request URI to the module. This will overwrite the saved extended instruction pointer register.

The vulnerability affects versions 6.0 and 6.5 of the Application Server. Sun, based in Santa Clara, Calif., has only produced a patch for 6.5, however. That fix is included in Service Pack 1 for the server, which is downloadable at Suns Web site.

There are several workarounds for companies that have 6.0 deployed, according to @stakes advisory. The researchers recommend that users do one of three things: write an NSAPI module that checks the length of HTTP request URIs; terminate the SSL session on a device in front of the Sun ONE Web server, then install an intrusion detection sensor to inspect the clear-text traffic and write a filter to detect overly long HTTP request URIs; or terminate the SSL session on a reverse proxy that does data validation on all HTTP request headers.

The full @stake advisory, available here, provides an example of an NSAPI module that performs the correct checks.

Latest Security News:

Search for more stories by Dennis Fisher.
Find white papers on security.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.