There are two vulnerabilities associated with this issue:

1. When Sun Java System Access Manager 7.1 is installed in a Sun Java System Application Server 9.1 container and the container is restarted, no authentication screen is displayed. Any application using container based authentication would no longer work correctly as any users would be granted access without authentication. This can lead to unprivileged non-administrative users performing administrative tasks. As an example, the Admin Console application (which is a pre-deployed system application on the Application Server used to Administer the Application Server) no longer prompts users for authentication when accessing this application. Thus anyone, whether they have administrative privileges or no privileges, could administer the Application Server.

2. When Sun Java System Access Manager 7.1 is installed in a Sun Java System Application Server 8.x container, the installation may be vulnerable to malicious code. If an application is deployed in such an environment, then a local or remote unprivileged user may be able to execute arbitrary code with the privileges of the deployed application.