November 01, 2004, 4:16 PM — Sun Microsystems Inc. has warned of a serious security flaw affecting one component of its flagship Java System Web server line of products.
The flaw, in the Java System Web Proxy Server -- until recently called the Sun One Web Proxy Server -- could allow a remote attacker to gain access to a vulnerable system. The proxy server, used by e-commerce sites, enterprises and ISPs to cache and filter Web content, is a companion product to the Java System Web Server, Sun's main server software.
A buffer overflow vulnerability -- one of the most common types of security bugs -- could allow an attacker to crash either the Web Proxy Server process or the server's Admin Server process. More seriously, an attacker could execute malicious code on the server with the privileges of the affected server process, Sun said.
The bug was discovered by Matt Moore of Pentest, which has not yet released details of how the vulnerability works. Sun released an advisory on Friday, along with a patch. Server versions 3.6 Service Pack 4 and earlier are affected.
There is no reliable way for system administrators to tell if the vulnerability has been exploited, Sun said, although the affected processes may crash as a result of a successful exploit. Danish security firm Secunia, in an advisory published on Monday, ranked the flaw as "highly critical", its second-highest severity rating.
Sun's server software is one of the top three most widely used on the Internet, though it trails Microsoft Corp. and Apache by a wide margin, according to a survey of Web servers by U.K. Web analysis firm Netcraft Ltd.