Fred Donovan alerted Sun Microsystems to a server vulnerability before it became a major problem for the multimillion dollar company.
Donovan, Chief InfoSec Architect of Donovan Networks, found that encryption protocol errors made the Sun Java System Application Server 9.0_0.1 susceptible to enumeration.
Donovan was performing security testing of the Operating System 2 when he discovered the potential problem.
He said that setting the Object Request Broker (ORB) of a web server is a common task, but that it is rarely tested. Donovan decided to run a vulnerability test based solely on the encryption capability of the server because the Sun AS is run on a production network and vulnerable ciphers should not be used on internet facing devices.
After discovering the problem, Donovan reported the unusual vulnerability to Sun Microsystems.
“I informed Sun Microsystems of this vulnerability, so it is in their court to make a security fix for the product,” Donovan said.
The discovery has demonstrated Donovan Networks’ potential in the field of independent data security research, and has won it new recognition in the security community.
Donovan is currently on contract in New York working as the senior application security engineer for a Fortune 500 multi-national corporation.
For more information about the vulnerability, visit the NIST National Vulnerability Database at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4511 or the Security Focus Vulnerability Database at http://www.securityfocus.com/archive/1/477315.
For more information about Donovan Networks, visit the company website at http://www.donovannetworks.com.