Format string vulnerability in libwebconsole_services.so in Sun Java Web Console 2.2.2 through 2.2.5 allows remote attackers to cause a denial of service (application crash), obtain sensitive information, and possibly execute arbitrary code via unspecified vectors during a failed login attempt, related to syslog. Root level code execution is only possible if the web console is running as root, which it does not by default. The vendor has addressed this issue through multiple product updates:
Sun Java Web Console 2.2.2
http://www.sun.com/download/products.xml?id461d58be
Sun Java Web Console x86 2.2.2
http://www.sun.com/download/products.xml?id461d58be
Sun Java Web Console x86 2.2.3
http://www.sun.com/download/products.xml?id461d58be
Sun Java Web Console 2.2.3
http://www.sun.com/download/products.xml?id461d58be
Sun Java Web Console x86 2.2.4
http://www.sun.com/download/products.xml?id461d58be
Sun Java Web Console 2.2.4
http://www.sun.com/download/products.xml?id461d58be
Sun Java Web Console x86 2.2.5
http://www.sun.com/download/products.xml?id461d58be
Sun Java Web Console 2.2.5
http://www.sun.com/download/products.xml?id461d58be
Publication date: Thu, 19 Apr 2007 15:19:00 +0000