Software Engineering Institute

The Sun Java System Portal Server is a content management system that provides centralized login capabilities and administration. The Calendar Server is an optional product that can be used by the portal server to provide users the ability to collaboratively manage schedules and share resources. A vulnerability exists in the way changes to the display options are handled by the Sun Java System Portal Server. By changing the display options to a non-default view, a user could gain access to the administrative credentials on the Calendar Server.

According to the Sun Security Alert, this vulnerability only occurs if the following two conditions are true:

• Admin Proxy Authentication is configured on the Calendar Server
• Calendar access is via the "Portal" communication channel and not the "Unified Web Client" or the "Calendar Web Client"

A remote, authenticated user could gain access to the administrative credentials of the Calendar server.

Apply Patch
Sun has released an advisory which addresses this issue. For more information on patches available for your system, please refer to Sun Security Alert: 57586.

Restrict Access
Sun recommends that you not allow end users the ability to edit the calendar channels "calendar" or "view" display profile properties when Admin Proxy Authentication is enabled.