Vulnerability Name:

CVE-2009-2712 (CCN-52294)

Assigned:2009-08-05
Published:2009-08-05
Updated:2009-08-15
Summary:Sun Java System Access Manager 6.3 2005Q1, 7.0 2005Q4, and 7.1; and OpenSSO Enterprise 8.0; when AMConfig.properties enables the debug flag, allows local users to discover cleartext passwords by reading debug files.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
1.9 Low (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N)
1.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2009-2712

Source: OSVDB
Type: UNKNOWN
56815

Source: CCN
Type: SA36169
Sun Java System Access Manager Debug File Information Disclosure

Source: SECUNIA
Type: Vendor Advisory
36169

Source: CONFIRM
Type: Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119465-16-1

Source: CCN
Type: Sun Alert ID: 256668
A Security Vulnerability in Sun Java System Access Manager May Disclose Confidential Information

Source: SUNALERT
Type: Patch, Vendor Advisory
256668

Source: CCN
Type: OSVDB ID: 56815
Sun Java System Access Manager AMConfig.properties com.iplanet.services.debug.level Property Cleartext Credentials Local Disclosure

Source: BID
Type: UNKNOWN
35963

Source: CCN
Type: BID-35963
Sun Java System Access Manager Debug Files Local Information Disclosure Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2009-2177

Source: XF
Type: UNKNOWN
jsam-debug-info-disclosure(52294)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_10_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_8_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_9_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_10_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_8_sparc:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_9_sparc:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_10_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_8_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_9_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_10_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_8_x86:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_9_x86:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_10_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_8_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:solaris_9_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_10_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_8_linux:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7_2005q4:*:solaris_9_linux:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:sun:java_system_access_manager:7.0_2005q4:*:windows:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.1:*:windows:*:*:*:*:*

    • Configuration 5:
  • cpe:/a:sun:java_system_web_server:7.0:*:hp_ux:*:*:*:*:*

    • Configuration 6:
  • cpe:/a:sun:java_system_access_manager:7.1:*:war:*:*:*:*:*
  • OR cpe:/a:sun:opensso_enterprise:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sun:java_system_access_manager:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:7.0_2005q4:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_access_manager:6.3_2005q1::solaris_10_linux:*:*:*:*:*
  • AND
  • cpe:/o:sun:solaris:8::x86:*:*:*:*:*
  • OR cpe:/o:sun:solaris:8::sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:9::x86:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10::sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*
  • OR cpe:/o:sun:solaris:9::sparc:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sun java system access manager 6.3_2005q1
    sun java system access manager 6.3_2005q1
    sun java system access manager 6.3_2005q1
    sun java system access manager 7.1
    sun java system access manager 7.1
    sun java system access manager 7.1
    sun java system access manager 7_2005q4
    sun java system access manager 7_2005q4
    sun java system access manager 7_2005q4
    sun java system access manager 6.3_2005q1
    sun java system access manager 6.3_2005q1
    sun java system access manager 6.3_2005q1
    sun java system access manager 7.1
    sun java system access manager 7.1
    sun java system access manager 7.1
    sun java system access manager 7_2005q4
    sun java system access manager 7_2005q4
    sun java system access manager 7_2005q4
    sun java system access manager 6.3_2005q1
    sun java system access manager 6.3_2005q1
    sun java system access manager 6.3_2005q1
    sun java system access manager 7.1
    sun java system access manager 7.1
    sun java system access manager 7.1
    sun java system access manager 7_2005q4
    sun java system access manager 7_2005q4
    sun java system access manager 7_2005q4
    sun java system access manager 7.0_2005q4
    sun java system access manager 7.1
    sun java system web server 7.0
    sun java system access manager 7.1
    sun opensso enterprise 8.0
    sun java system access manager 7.1
    sun java system access manager 7.0_2005q4
    sun java system access manager 6.3_2005q1
    sun solaris 8
    sun solaris 8
    sun solaris 9
    sun solaris 10
    sun solaris 10
    sun solaris 9