Patch-ID# 136987-03 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** For further information on patching best practices and resources, please see the Big Admin Patching Center, http://www.sun.com/bigadmin/patches/ *********************************************************************** Keywords: java_es-5 multiple container support security Synopsis: Sun Java Web Console 3.0.2: Security fixes Date: Jun/11/2009 Install Requirements: NA Solaris Release: 8 SunOS Release: 5.8 Unbundled Product: Sun Java Web Console Unbundled Release: 3.0.2 Xref: This patch is available for Solaris SPARC as 136987, 125950, 125952, for Solaris x86 as 136986, 125951, 125953, for RHEL3.0, RHEL4.0 as 125954, for Windows Unbundled as 127534, Windows bundled with JES as 125955 Topic: Relevant Architectures: sparc BugId's fixed with this patch: 6505096 6614074 6731783 6763558 Changes incorporated in this version: 6763558 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/share/webconsole/lib/SMIWebCommon.jar /usr/share/webconsole/lib/cc.jar /usr/share/webconsole/private/container/server/webapps/manager/WEB-INF/lib/console_manager.jar /usr/share/webconsole/private/lib/console_admin.jar /usr/share/webconsole/private/lib/console_config.jar /usr/share/webconsole/private/lib/console_manager.jar /usr/share/webconsole/private/templates/tomcat/consolelogin_conf.tpl /usr/share/webconsole/webapps/console/WEB-INF/lib/SMIWebConsole.jar /usr/share/webconsole/webapps/console/com_sun_web_ui/help/helpwindow.jsp /usr/share/webconsole/webapps/console/com_sun_web_ui/help/masthead.jsp /usr/share/webconsole/webapps/console/html/en/console_version.shtml /usr/lib/webconsole/libwebconsole_services.so Problem Description: 6763558 cross-site scripting (XSS) vulnerability reported in two Sun Java Web Console help jsp scripts (from 136987_02) 6731783 /console/faces/jsp/login/BeginLogin.jsp (redirect_url takes arbitrary urls) (from 136987_01) 6614074 adminverifier needs to bracket its privileges 6505096 Security vulnerability in Sun Java Web Console Patch Installation Instructions: -------------------------------- For Solaris 8 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/136987-03 The following example removes a patch from a standalone system: example# patchrm 136987-03 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- README -- Last modified date: Thursday, June 11, 2009