Security Patch Watch: Sun Java, Veritas NetBackup, BEA WebLogic

A round-up of security vulnerabilities flagged and fixed in several widely deployed enterprise products.

Network computing giant Sun Microsystems Inc. has released patches for an information disclosure security flaw in certain releases of the Sun Java System Application Server.

In an advisory posted online, Sun warned that the vulnerability may allow a remote unprivileged user the ability to view the source code of Java Server pages.

Security alerts aggregator Secunia Inc. rates the issue as "moderately critical" and said malicious hackers could exploit the bug to hijack certain sensitive information.

/zimages/5/28571.gifSun squashes critical Java bugs. Click here to read more.

The vulnerability has been reported in the Sun Java System Application Server 7 Standard Edition Update 6, Sun Java System Application Server 7 Platform Edition Update 6, Sun Java System Application Server 7 2004Q2 Standard Edition and the Sun Java System Application Server 7 2004Q2 Enterprise Edition.

Patches for the bug are available for download.

Symantec Plugs High Risk NetBackup Flaw

Enterprise security vendor Symantec Corp. has shipped an update to its Veritas NetBackup product to correct a "high risk" code execution vulnerability.

The company acknowledged the flaw in an alert that described the bug as a format string overflow vulnerability in the Java user-interface authentication service, bpjava-msvc, running on Veritas NetBackup servers and agents.

/zimages/5/28571.gifClick here to read about Veritas patching flaws in backup products.

"[This] could potentially allow remote attackers to execute arbitrary code on a targeted system with elevated privileges," Symantec warned.

Affected products include the Veritas NetBackup DataCenter and BusinesServer and the NetBackup Enterprise/Server/Client.

The bug is the first that has been publicly reported by TippingPoints new Zero Day Initiative, the service that pays private researchers for vulnerability information.

24 Security Holes Plugged in BEA WebLogic

BEA Systems Inc.s WebLogic application server has undergone a major security makeover to fix 24 vulnerabilities affecting enterprise customers.

The flaws, which carry a "moderately critical" rating, affect the BEA WebLogic Server 6.x through 9.x.

Secunia warned that successful exploitation could lead to security bypass, cross-site scripting, data manipulation, brute force attacks, information disclosure, privilege escalation and denial-of-service attacks.

Secunia has included patch download locations in its security alert.

BrightMail AntiSpam Patch

A "moderately critical" bug in Symantecs enterprise-facing BrightMail AntiSpam application could put users at risk of denial-of-service attacks, the company acknowledged in an online alert.

The vulnerability is caused due to an error in processing certain malformed MIME content. This may be exploited to crash the "bmserver" component and cause a system crash.

Affected products include the Symantec BrightMail AntiSpam 6.0.1 and 6.0.2.

Patches have been included in Symantecs advisory.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.