Note: This is an archival copy of Security Sun Alert 201438 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001084.1. |
Category Security Release Phase Resolved 4822311, 4841890 Date of Resolved Release 28-AUG-2003 Impact A vulnerability exists in Java Secure Socket Extension(JSSE) where it may be possible under certain circumstances to gather information about Cipher Block Chaining (CBC) encrypted data that is transmitted over a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) channel. This issue does not expose private or session keys. This issue is described in: A second vulnerability exists where it may be possible under certain circumstances to extract private keys from an SSL server. This issue is described in: Contributing Factors This issue can occur in the following releases:
Note: JSSE in SDK and JRE 1.4.2 and later are not affected. Symptoms There are no reliable symptoms that would show the described issues have been exploited.
Workaround There is no workaround. Please see the "Resolution" section below. Resolution This issue is addressed in the following releases:
SDK and JRE releases are available at: JSSE 1.0.3_02 is available at: Modification History Product Java 2 Platform, Standard Edition 1.4.1 Attachments This solution has no attachment |
|