Note: This is an archival copy of Security Sun Alert 201350 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001023.1.
Sun Java Enterprise System 5
Solaris 9 Operating System
Solaris 10 Operating System
Sun Java Enterprise System 2003Q4
Sun Java Enterprise System 2005Q1
Sun Java Enterprise System 2005Q4
Sun Java Enterprise System 2004Q2
Date of Resolved Release
Security vulnerabilities in the Network Security Services (NSS) implementation of SSL2 may affect both SSL clients (such as browsers) and SSL servers which make use of this library. As a result, the client or server may exit unexpectedly, which is a type of Denial of Service (DoS). For servers running on Microsoft Windows, they may present a remote code execution vulnerability.
These vulnerabilities are in NSS's implementation of SSL2, not in the SSL2 protocol itself.
Note: NSS is a set of libraries that implement SSL2, SSL 3.0 and TLS (SSL 3.1). NSS is widely used. It is used in the Mozilla family of browsers offered by Sun to Solaris users. It is also used in the "Java Enterprise Server" (JES) family of server products, including Web server, Directory Server, Messaging Server, Application Server, Portal Server, and others. It is used for the built-in LDAPS client in Solaris 9 and 10 which may be used as part of the Solaris login program.
This issue is also described in the following documents:
These issues can occur in the following releases:
Note 1: Sun Java Enterprise System is not supported on Solaris 8 x86.
Note 2: SSL2 is the oldest of the SSL/TLS family of security protocols, and it is now widely regarded as comparatively weak and obsolete. It is therefore recommended that sites move away from SSL2 to SSL 3.0 or TLS.
To determine if the NSS packages are installed on a system, the following command can be run:
% pkginfo SUNWtls
To determine the version of NSS on a system, the following command can be run:
% pkgparam SUNWtls SUNW_PRODVERS
Systems affected by this issue have NSS version of 3.11.4 or earlier.
There are no reliable symptoms that would indicate the described issues have been exploited.
To work around the described issue, disable SSL2 in the products that use NSS. Disabling SSL2 will force NSS to use SSL 3.0 and/or SSL 3.1 (TLS).
The exact procedures to disable SSL2 varies from product to product. Browsers have panels of "preferences" in which SSL2 can be disabled. Servers have various administration tools including command line tools, GUI tools, and separate administration servers (web servers) that are accessed through a browser.
Note 1: FireFox 2.0 already has SSL2 disabled by default.
Note 2: Due to the weak security status of SSL2, customers are advised to disable SSL2 and leave it disabled, even when a fix for this vulnerability is available from Sun.
These issues are addressed in the following releases:
Sun Java Enterprise System 2005Q1 systems should either apply the workaround described in section 4: "Relief/Workaround" or upgrade to Sun Java Enterprise System 5 and apply patch 125923-01.
This solution has no attachment