Sun Java System Identity Manager Multiple Vulnerabilities

[Peaches]

Sun Java System Identity Manager Multiple Vulnerabilities

Highly critical

Description:

Some vulnerabilities and security issues have been reported in Sun Java System Identity Manager, which can be exploited by by malicious users to bypass certain security restrictions, and by malicious people to disclose sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, manipulate certain data, or potentially compromise a vulnerable system.

1) An unspecified error can lead to unencrypted communication between clients and the IDM server.

2) An unspecified error can be exploited to enumerate valid user accounts.

3) An unspecified error can be exploited to change another user's password.

4) An unspecified error can be exploited to perform certain actions that are expected to be restricted.

Successful exploitation requires a valid user account.

5) Unspecified input is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6) An unspecified error can be exploited to bypass certain security restrictions, which potentially allows cross-site scripting and cross-site request forgery attacks.

Successful exploitation requires a valid user account.

7) An unspecified error can be exploited to execute arbitrary commands on Unix / Linux based resource adapters.

8) An unspecified error can be exploited to modify IDM system configuration data.

9) An unspecified error can be exploited by IDM users to gain escalated privileges or to execute arbitrary code on the IDM server machine.

Successful exploitation may require a valid user account.

The vulnerabilities are reported in Sun Java System Identity Manager 7.0, 7.1, 7.1.1, and 8.0.

NOTE: Version 8.1 is reportedly not affected. Secunia advisories - http://secunia.com/advisories/34380/ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>