Welcome!

Cloud Security Authors: Pat Romanski, Elizabeth White, Zakia Bouachraoui, Yeshim Deniz, Liz McMillan

Related Topics: Cloud Security

News Feed Item

Core Security Technologies Discovers Critical Vulnerabilities in Sun Calendar Express

Core Security Technologies, provider of CORE IMPACT solutions for comprehensive enterprise security testing, has issued an advisory disclosing critical vulnerabilities that could affect large numbers of end users and organizations using Sun’s Java System Calendar Express web server software.

Core Security Technologies consultants working with CoreLabs, the research arm of Core Security, unearthed multiple vulnerabilities in Sun’s Calendar Express scheduling software, a remote access element of Sun’s Java Communications Suite, which, if compromised, could allow attackers to target users of the technology through both cross-site scripting (XSS) and denial-of-service (DoS) campaigns.

Upon making the discoveries, CoreLabs immediately alerted the Sun Security Coordination Team to the vulnerabilities and the two companies have since synchronized efforts to ensure that patches could be created and made available to protect users of the program.

“Although some years ago Cross-Site Scripting vulnerabilities were not considered important or relevant threats by the security intelligentsia, their pervasiveness in almost all kinds of web applications and the possibility for attackers to leverage them to gain control of users’ web browsers highlight a real world security problem that merits closer scrutiny and timely resolution,” said Ivan Arce, CTO of Core Security Technologies.

Sun’s Calendar Express technology is aimed primarily at organizations seeking to offer their users remote access to internal scheduling and messaging tools. This leads CoreLabs researchers to believe that any attackers who become familiar with the reported vulnerabilities could potentially use the flaws to get their hands on sensitive business or personal data or to take systems offline via DoS.

The XSS issues uncovered by researchers in Sun Calendar Express reside in the product’s login page and another URL, while the DoS vulnerability could be compromised by simply requesting data from a certain URL twice.

All of the vulnerabilities were initially discovered and researched by the Security Consulting Services team from Core Security Technologies.

Vulnerability Details

Sun Java System Calendar Express

CoreLabs security researchers found multiple XSS vulnerabilities and a single DoS vulnerability in Java System Calendar Express web server, with the XSS flaws located specifically in two individual URLs, and the DoS vulnerability in a third URL.

In the case of the first XSS vulnerability, which affects the login page of the Sun Java System Calendar Express web application, the affected URL is originally accessed through a POST request and can be exploited both with a GET and with a POST request. The contents of the variables involved in a potential attack are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code.

In the second XSS vulnerability, the contents of the affected URL’s date variable are not encoded at the time they are used in HTML output, therefore allowing an attacker who controls their contents to insert JavaScript code. Other fields on this or other pages for this application could also be vulnerable to the same type of issue.

Regarding the DoS vulnerability, an attacker can crash the Sun Java System Calendar Express web server by simply requesting data from a specific URL twice. Such a crash can in fact be touched off using any string of alphabetic characters. The first time the data is entered the attacker will receive an error. Entering the data a second time will cause the server to cease responding until the administrator restarts the process.

For more information on this vulnerability, please view the CORE-2009-0108 Security Advisory at: http://www.coresecurity.com/content/sun-calendar-express.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. It conducts its research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Its results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

About Core Security Technologies

Core Security Technologies is the leader in comprehensive security testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, Mass. and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

IoT & Smart Cities Stories
The graph represents a network of 1,329 Twitter users whose recent tweets contained "#DevOps", or who were replied to or mentioned in those tweets, taken from a data set limited to a maximum of 18,000 tweets. The network was obtained from Twitter on Thursday, 10 January 2019 at 23:50 UTC. The tweets in the network were tweeted over the 7-hour, 6-minute period from Thursday, 10 January 2019 at 16:29 UTC to Thursday, 10 January 2019 at 23:36 UTC. Additional tweets that were mentioned in this...
Over the course of two days, in addition to insightful conversations and presentations delving into the industry's current pressing challenges, there was considerable buzz about digital transformation and how it is enabling global enterprises to accelerate business growth. Blockchain has been a term that people hear but don't quite understand. The most common myths about blockchain include the assumption that it is private, or that there is only one blockchain, and the idea that blockchain is...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Never mind that we might not know what the future holds for cryptocurrencies and how much values will fluctuate or even how the process of mining a coin could cost as much as the value of the coin itself - cryptocurrency mining is a hot industry and shows no signs of slowing down. However, energy consumption to mine cryptocurrency is one of the biggest issues facing this industry. Burning huge amounts of electricity isn't incidental to cryptocurrency, it's basically embedded in the core of "mini...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
The term "digital transformation" (DX) is being used by everyone for just about any company initiative that involves technology, the web, ecommerce, software, or even customer experience. While the term has certainly turned into a buzzword with a lot of hype, the transition to a more connected, digital world is real and comes with real challenges. In his opening keynote, Four Essentials To Become DX Hero Status Now, Jonathan Hoppe, Co-Founder and CTO of Total Uptime Technologies, shared that ...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the competition, or worse, just keep up. Each new opportunity, whether embracing machine learning, IoT, or a cloud migration, seems to bring new development, deployment, and management models. The results are more diverse and federated computing models than any time in our history.