A buffer overflow in Macromedia Inc.'s JRun Java 2 Enterprise Edition (J2EE) server could allow an attacker to take complete control of a vulnerable server, according to a bulletin released Wednesday by security group Next Generation Security Software Ltd.
The vulnerability exists in JRun 3.1 running on Microsoft Corp.'s Internet Information Services (IIS) 4.0 and 5.0 on Windows NT 4 and Windows 2000, the group said in its alert. The group contacted Macromedia about the bug in early April and a new version of JRun, version 4.0, has been released since then that should fix the problem, the group said. The group urged users to upgrade to the newest version of the software.
A patch to fix the issue without upgrading to JRun 4 is available from Macromedia at http://www.macromedia.com/v1/Handlers/index.cfm?ID=22273&Method=Full.
The flaw, which can be exploited remotely, comes as a result of an ISAPI (Internet Services Application Programming Interface) file created when JRun is installed, the security group said. ISAPIs are a part of IIS designed to offer more functionality to programs.
The ISAPI related to JRun can be accessed directly and acts like an application when it is, the group said. When the file is accessed, it is vulnerable to a buffer overflow that can allow any code supplied in the attack to be run in the system's local security context, the group said.
ISAPIs have caused a number of problems for users in the past year. Mostly recently, Microsoft patched two IIS holes in April that allow attackers to run code of their choice on vulnerable IIS systems. Another ISAPI flaw was exploited in mid-2001 by the Code Red worm, which infected thousands of computers worldwide and was one of the year's major security events.
Next Generation Security Software's full alert can be found at the group's Web site at http://www.ngssoftware.com/advisories/jrun.txt.