icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Sun Java System Directory Proxy Server 6.x < 6.3.1 Update 1 Multiple Vulnerabilities

Medium

Synopsis

The remote host is running the Sun Java system Directory Proxy Server, and LDAP proxy server from Sun Microsystems.

Description

The installed version is earlier than 6.3.1 Update 1. Such versions are potentially affected by multiple vulnerabilities :

- Under certain conditions simultaneous long binds are incorrectly assigned the same backed connections. An attacker may exploit this flaw to hijack an authenticated user's session and perform unauthorized operations. (CVE-2009-4440) - 'SO_KEEPALIVE' socket option is not enabled, and hence it may be possible for a remote attacker to trigger a denial of service condition by exhausting available connection slots. (CVE-2009-4441) - 'max-client-connections' configuration setting is not correctly implemented, thus it may be possible for a remote attacker to trigger a denial of service condition. (CVE-2009-4442) - An unspecified vulnerability in the 'psearch' functionality could allow an attacker to trigger a denial of service condition. (CVE-2009-4443)

Solution

Upgrade to Sun Java System Directory Server 6.3.1 and apply patch 141958-01