• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: New Atlanta ServletExec Unauthorized Access Vulnerability

Severity: HIGH

Description:

ServletExec is a Java-based web application server designed for various operating systems; this issue is reported to affect versions implemented on Windows 2000 and Windows NT.

It has been reported that New Atlanta ServletExec is affected by an unauthorized access vulnerability. This issue is due to an access validation error.

The problem presents itself when an unauthorized user attempts to upload a file to the affected application server. Apparently users with no authorization are able to upload and execute arbitrary files on the affected computer.

It has been speculated that this issue is due to a failure of the affected server to regulate access to a script that provides functionality for a user to upload files to the affected application server; it is known that attempts to access the 'UploadServlet' file will cause a NULL pointer exception. It may be possible to request the affected script while including a URI argument specifying a file to be uploaded, although this is not confirmed.

Information that is currently available are insufficient to provide a more in depth technical description; this BID will be updated when more details become available.

This issue would allow an attacker to upload and execute files on the affected computer, facilitating unauthorized interactive access as well as other attacks. This issue might also be leveraged to cause a denial of service condition in the affected server.

Affected Products:

• Cisco Collaboration Server 3.0.0
• Cisco Collaboration Server 3.0.0 1
• Cisco Collaboration Server 3.0.0 2
• Cisco Collaboration Server 4.0.0
• NewAtlanta ServletExec 2.2.0
• NewAtlanta ServletExec 3.0.0

References:

• Cisco: Cisco Security Advisory: Cisco Collaboration Server Vulnerability
• NewAtlanta: NewAtlanta Homepage
• NewAtlanta: ServletExec Home Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.