Note: This is an archival copy of Security Sun Alert 201438 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001084.1.
Article ID : 1001084.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Timing Based Attack Vulnerabilities in the Java Secure Socket Extension



Category
Security

Release Phase
Resolved

Bug Id
4822311, 4841890

Date of Resolved Release
28-AUG-2003

Impact

A vulnerability exists in Java Secure Socket Extension(JSSE) where it may be possible under certain circumstances to gather information about Cipher Block Chaining (CBC) encrypted data that is transmitted over a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) channel. This issue does not expose private or session keys.

This issue is described in:

A second vulnerability exists where it may be possible under certain circumstances to extract private keys from an SSL server.

This issue is described in:


Contributing Factors

This issue can occur in the following releases:

  • JSSE in SDK and JRE 1.4.1_02 or earlier for Windows, Solaris and Linux
  • JSSE in SDK and JRE 1.4.0_04 or earlier for Windows, Solaris and Linux
  • JSSE 1.0.3_01 or earlier

Note: JSSE in SDK and JRE 1.4.2 and later are not affected.


Symptoms

There are no reliable symptoms that would show the described issues have been exploited.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

  • SDK and JRE 1.4.1_03 and later for Windows, Solaris, and Linux
  • JSSE 1.0.3_02 and later

SDK and JRE releases are available at:

JSSE 1.0.3_02 is available at:



Modification History

Product
Java 2 Platform, Standard Edition 1.4.1
























Attachments
This solution has no attachment