Thursday, August 5, 2010

New Web Vulnerabilities in ServletExec Application Server

New Atalnta Servletexec is a Web Application Server that is bundled with many enterprise Applications. Several vendors make extensive usage of Servlet Exec in their software solutions: CA (Siteminder), BMC Software (Remedy), SAP, etc...

Usually Servlet Exec is used as an ISAPI component on top of IIS to give to Microsoft Web Server the ability to process JSP and J2EE applications.

Vulnerabilities on Web Servers are pretty nasty, since their impact is extended on the Web Applications hosted. You should upgrade to the latest Servlet Exec Hot Patch, if not, your application will suffer from a path traversal and a Security Bypass vulnerability.

Original Advisory by Minded Security:
New Atlanta Servlet Exec Multiple Security Issues

Offcial Fix:
New Atlanta Hotfix July 2010