The Atlanta-based Spi Dynamics
issued the warning without the availability of a patch or workaround from
. A spokesperson for Sun confirmed the
existence of the security holes and said one of the bugs has already been
fixed in Update 1 of Application Server 7.0.
"We're aware of the security issues and have fixes underway. The other three bugs will be fixed in Update 2, expected to be available in August," the spokesperson told internetnews.com.
However, a JSP source code disclosure vulnerability which carries a "High" severity rating is still unpatched.
"We made numerous efforts to contact Sun and work with them on a fix for these issued but they never responded. We followed all the necessary disclosure procedures and notified Sun since March 18. We had no choice but to go public because, in this case, the vendor was completely unresponsive. We have a responsibility to the public at large to disclose this vulnerability," Cohen said in an interview.
Cohen said it was "unacceptable" for a software vendor the size of Sun Microsystems to be unresponsive to security warnings from researchers. Since March 18, Cohen said Sun's security unit responded once to say the holes were being patched but they needed time because the developer was on vacation. Since then, he said numerous attempts to get an update from Sun were unsuccessful.
The Sun spokesperson denied Cohen's claim. "Spi was notified in previous communications of Sun's plan to fix these bugs," she said.
Meanwhile, the serious JSP vulnerability won't be fixed until Sun issues Update 2 for the product in August. However, the spokesperson said Sun would make the fix available upon request prior to general availability of the update. "Customers can contact Sun through their normal support channels to obtain the fix," she said.
The latest controversy comes on the heels of a public spat between the Apache Software Foundation (ASF) and the Internet Security Systems (ISS) over the way a warning about a security hole in the Apache HTTP Server was handled.
In that case, an easy-to-use exploit for the hole was circulating on the Internet before Apache got a chance to plug the vulnerability. Apache officials were upset they weren't first notified before the ISS issued its advisory, a normal procedure when bugs are detected. Since then, Apache has taken a proactive approach to issuing updates to avoid embarrassment.
Gartner security analyst John Pescatore rapped Sun for being notoriously slow to fix known holes in its products. "In this day and age, if a consultant finds a vulnerability and notifies the vendor, two weeks is reasonable time to make a patch available," Pescatore said. In some cases, vendors can request more time to get a fix ready but, if its drags on for more than a month, Pescatore said the researcher has no option but to release the information.
"Anything more than a month is just dragging things on too long and setting up a 'Day Zero' situation," he declared, noting that Spi Dynamics has a history of being very responsible about reporting vulnerabilities.
"If you go back a number of years, before Solaris, when Sun had the most popular operating system for servers connected to the Internet, Sun would go six months without fixing a vulnerability. Back then, no one publicized these things so it was not a huge deal. But, in this day and age, that's not going to happen," Pescatore said.
He said the latest controversy underscores the need for an acceptable protocol for cooperation between independent researchers and software vendors. "In general, the communication has worked well but there are times when it could be improved."
Back in 2002, Pescatore said Microsoft
tried to get a
group of software vendors together to define a protocol via an Internet RFC
but that proposal got bogged down because too many consultants mistrusted
There is a feeling that pressure for independent researchers could be a good thing. "If the vendors didn't have this pressure from the consultancies, then they just wait too long to come out with a patch. I think the tension has its benefits," Pescatore declared.