We've been running a vulnerability assessment and we wanted to check the status of the JSCI SSO URI Pattern Matching Access Validation Vulnerability problem as noted at http://www.securityfocus.com/bid/8353 in versions Vintella Single-on for Java (VSJ)
Has this vulnerability been fixed in VSJ?
Description of the vulnerability
JSCI SSO has been reported prone to an access validation vulnerability under certain circumstances.
The issue presents itself in pattern-matching tags contained in JSCI SSO configuration files; these tags are used when controlling access to Java applications. It has been reported that these pattern-matching tags match an entire URI rather than the relative path to the secured Java application. This may mean that if the protected Java application is moved and has a different context root, JSCI SSO will not protect it.
The fixes for the vulnerability are available in VSJ version 3.3 which is available on the support website (support.quest.com) under downloads and updates.