Hole found in Sun server software

Cambridge, Mass.-based @Stake issued a bulletin late Thursday on the vulnerability in Sun ONE Application Server. The hole is in the software's Connector Module, a Netscape server plug-in that links Sun ONE Application Server with Sun ONE Web Server, formerly known as iPlanet Enterprise Server.

The module uses a buffer of fixed size to register information requests sent to the server. By sending an especially long string of data, an attacker could overwrite data on the server and so take control of the machine.

"This is a classic stack buffer overflow, and a remote attacker can gain control of the running Web server," @Stake said in the alert.

The company said it notified Sun of the vulnerability last May, but received no response. @Stake representatives did not respond to a request for comment.

Buffer vulnerabilities have become an increasingly common way for malicious computer users to attack servers.

The Sun flaw affects versions 6.0 and 6.5 of Application Server. @Stake said a patch available from Sun fixes the problem in version 6.5, but there is no equivalent patch for 6.0. The alert offered several workarounds for companies running 6.0.

Deborah Andrade, product line manager for Sun, said the company issued the patch for 6.5 soon after it became aware of the flaw last year, and the fix has been incorporated in subsequent versions of Application Server.

Andrade said Sun didn't publish a patch for 6.0 because so few customers are still using it. Instead, customers who contact Sun support are directed to use a workaround similar to the one suggested by @Stake.

"Our 6.0 version was significantly older, and a lot of customers had already migrated," she said. "It's a pretty minimal pool of customers still using that version."

Andrade added that Sun has received no reports of attacks that exploited the vulnerability. "It has not been an issue to date," she said.