Note: This is an archival copy of Security Sun Alert 200266 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000208.1.
Date of Resolved Release
A buffer overflow vulnerability exists in the Netscape Network Security Services (NSS) ...
A buffer overflow vulnerability exists in the Netscape Network Security Services (NSS) library suite that is a security component used by most of the Sun Java Enterprise System (JES) components such as Web Server, App Server and Portal Server. This vulnerability may allow a remote unprivileged user to execute arbitrary code on vulnerable systems during SSLv2 connection negotiation. This issue is described in the Internet Security Systems Advisory at http://xforce.iss.net/xforce/alerts/id/180.
Additional information about JES 2004Q2 can be found at http://wwws.sun.com/software/javaenterprisesystem/.
Additional information about NSS can be found at http://www.mozilla.org/projects/security/pki/nss/.
2. Contributing Factors
This issue can occur in the following releases:
Note: Sun Java Enterprise System was not available for Solaris 8 on the x86 Platform for 2003Q4 and 2004Q2 releases.
To determine the current library version, the following command can be used:
# /usr/bin/pkgparam SUNWtls SUNW_PRODVERS 3.3.
The major JES components that utilize NSS are:
There are no visible symptoms that would indicate the described issue has been exploited.
There is no workaround. Please see the "Resolution" section below.
This issue is addressed in the following releases:
Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Sun Java Enterprise System 2003Q4
This solution has no attachment