Note: This is an archival copy of Security Sun Alert 201452 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001093.1.
Date of Workaround Release
Date of Resolved Release
In Sun ONE Application Server or Sun ONE/iPlanet Web Server, it may be possible under certain circumstances to gather information about the data transmitted over a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) channel. This vulnerability is due to the way error handling is implemented with Cipher Block Chaining (CBC) mode ciphers in SSL and TLS and has been described in:
The described issue does not expose private or session keys. This issue primarily affects TLS rather than SSL version 3.
This issue may occur in the following releases:
Note: All architectures and platforms are impacted by this issue.
For supported architectures and OS versions see:
There are no visible symptoms that would show the described issue has been exploited.
To workaround the descibed issue follow the steps below:
Sun ONE/iPlanet Web Server 6.0 Service Pack 1 through 5
Disable TLS or disable the following ciphers :
Fortezza with 80 bit encryption and SHA message authentication DES with 56 bit encryption and SHA message authentication RC2 with 40 bit encryption and MD5 message authentication (FIPS) Triple DES with 168 bit encryption and SHA message authentication (FIPS) DES with 56 bit encryption and SHA message authentication Triple DES with 168 bit encryption and SHA message authentication
To Disable TLS or disable the above ciphers:
Login to the admin server and click on the instance to be managed Click on preferences -> Edit listen sockets Click on the attributes for the listen socket to be edited click on attributes click on SSL2 and SSL3/TLS to disable TLS or above mentioned ciphers
Sun ONE Application Server 7.0
Disable TLS or disable the following ciphers:
rsa_3des_sha rsa_des_sha rsa_rc2_40_md5 rsa_des_56_sha
To disable TLS or disable the above ciphers:
Login to the admin server and click on App server instances Click on the server to disable the TLS or ciphers Click on HTTP Server Click HTTP Listeners -http-listener-x and the values will be seen in the right frame
This issue is addressed in the following releases:
The above releases are available for download at:
Sun ONE/iPlanet Web Server 6.0 Service Pack 6
Sun ONE Application Server 7.0 Update Release 1
Sun ONE Web Server 6.1 (Localized)
iPlanet Web Server 6.0 Enterprise Edition
This solution has no attachment