Two buffer overflows have been found in the SOCKS module of Sun Java System Web Proxy Server 4.0 which may allow a local or remote unprivileged user the ability to execute arbitrary code with the privileges of the SOCKS server or cause a Denial of Service (DoS) to the SOCKS server. The SOCKS server normally runs with root privileges.
One of the vulnerabilities (BugID 6537736) requires authentication before it can be exploited; however, the default configuration is for no authentication to be required to access the SOCKS server.
Sun acknowledges with thanks, iDefense (http://www.idefense.com), for bringing these issues to our attention.
These issues are also described in the following document: