Sun Ray Server Software utadmin information disclosure

sunray-utadmin-information-disclosure (31700) The risk level is classified as LowLow Risk

Description:

The Sun Ray Server Software could allow a local attacker to obtain sensitive information, caused by an error in the authentication and logging services. An attacker could exploit this vulnerability to obtain the utadmin password.

Platforms Affected:

  • RedHat, Advanced Server 3.0
  • Sun, Ray Server Software 2.0
  • Sun, Ray Server Software 3.0
  • Sun, Solaris 10
  • Sun, Solaris 8
  • Sun, Solaris 9
  • SuSE, Linux Enterprise Server 8

Remedy:

Refer to Sun Alert ID: 102779 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Obtain Information

References:

  • Sun Alert ID: 102779, Security Vulnerability in the Sun Ray Server Software Admin GUI at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102779-1.
  • ASA-2007-041: Security Vulnerability in the Sun Ray Server Software Admin GUI (Sun 102779)
  • BID-22192: Sun Ray Server Admin Graphical User Interface Administrator Password Disclosure Vulnerabilities
  • CVE-2007-0482: cgi-bin/main in Sun Ray Server Software 2.0 and 3.0 before 20070123 allows local users to obtain the utadmin password by reading a web server's log file, or by conducting a different, unspecified local attack.
  • SA23900: Sun Ray Server Software Password Disclosure
  • SECTRACK ID: 1017547: Sun Ray May Disclose the Administrator`s Password to Local Users
  • VUPEN/ADV-2007-0316: Sun Ray Server Software Log File Administrative Password Disclosure Vulnerability

Reported:

Jan 23, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page