TITLE:
Sybase EAServer JPasswordField Password Disclosure
SECUNIA ADVISORY ID:
SA20145
VERIFY ADVISORY:
http://secunia.com/advisories/20145/
CRITICAL:
Not critical
IMPACT:
Exposure of sensitive information
WHERE:
Local system
SOFTWARE:
Sybase EAServer 5.x
http://secunia.com/product/5398/
DESCRIPTION:
A security issue has been reported in Sybase EAServer, which can be
exploited by malicious, local users to disclose potentially sensitive
information.
The security issue is caused due to clear text passwords being
returned by the "getSelectedText()" method of the
"javax.swing.JPasswordField" UI component. This can potentially be
exploited to disclose the password that has been input into the
password field.
Successful exploitation requires that e.g. a user keys in his
password into a password prompt dialog box in a GUI application and
leaves dialog box open, or the attacker has access to the file that
stores private data from the JPasswordField UI component.
The security issue has been reported in the following versions:
Note: The security issue affects users who develop and deploy their
own J2EE Application Clients and Java GUI applications with EAServer
using the javax.swing.JPasswordField UI component. GUI applications
built by other vendors may also be affected.
SOLUTION:
Update to the fixed version or install EBF.
http://downloads.sybase.com/
EAServer Version 5.0 (HP-UX Itanium):
Install EBF# 13542
EAServer Version 5.2 (IBM AIX):
Install EBF# 13540
EAServer Version 5.2 (HP-UX PA-RISC):
Install EBF# 13539
EAServer Version 5.2 (Linux x86):
Install EBF# 13541
EAServer Version 5.2 (Sun Solaris SPARC):
Update to EAServer 5.3 and follow instructions in the latest version
of the online release bulletin.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.sybase.com/detail?id=1040665
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.