Sun Java System Directory Proxy Server 6.x < 6.3.1 Update 1 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 5289

Synopsis

The remote host is running the Sun Java system Directory Proxy Server, and LDAP proxy server from Sun Microsystems.

Description

The installed version is earlier than 6.3.1 Update 1. Such versions are potentially affected by multiple vulnerabilities :

- Under certain conditions simultaneous long binds are incorrectly assigned the same backed connections. An attacker may exploit this flaw to hijack an authenticated user's session and perform unauthorized operations. (CVE-2009-4440)
- 'SO_KEEPALIVE' socket option is not enabled, and hence it may be possible for a remote attacker to trigger a denial of service condition by exhausting available connection slots. (CVE-2009-4441)
- 'max-client-connections' configuration setting is not correctly implemented, thus it may be possible for a remote attacker to trigger a denial of service condition. (CVE-2009-4442)
- An unspecified vulnerability in the 'psearch' functionality could allow an attacker to trigger a denial of service condition. (CVE-2009-4443)

Solution

Upgrade to Sun Java System Directory Server 6.3.1 and apply patch 141958-01

See Also

http://sunsolve.sun.com/search/document.do?assetkey=1-66-270789-1

Plugin Details

Severity: Medium

ID: 5289

Family: Generic

Published: 12/30/2009

Updated: 3/6/2019

Nessus ID: 43615

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sun:java_system_directory_server

Patch Publication Date: 12/23/2009

Vulnerability Publication Date: 12/23/2009

Reference Information

CVE: CVE-2009-4440, CVE-2009-4441, CVE-2009-4442, CVE-2009-4443

BID: 37481