Note: This is an archival copy of Security Sun Alert 201603 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001203.1.
Date of Workaround Release
Date of Resolved Release
A vulnerability exists in the Netscape Network Security Services (NSS) library suite which affects the Sun Java System Web Server and Sun Java System Application Server. This vulnerability may allow a remote unprivileged user to execute arbitrary code on vulnerable systems during SSLv2 connection negotiation.
This issue is described in the following Internet Security Systems Advisory: http://xforce.iss.net/xforce/alerts/id/180
This issue can occur in the following releases:
Note: All architectures and platforms are impacted by this issue.
There are no visible symptoms that would show the described issue has been exploited.
To eliminate the possibility of the described issue from occurring, disable SSLv2 and all associated SSLv2 ciphers as shown below:
For Webserver 6.0:
For Webserver 6.1:
For Appserver 7.0 and 7 2004Q2:
This issue is addressed in the following releases:
Sun Java System Web Server 6.0 SP 9 is available for download at: http://wwws.sun.com/software/download/products/419a6e11.html
Sun Java System Web Server 6.1 SP 3 is available for download at: http://wwws.sun.com/software/download/products/415a094d.html
Sun Java System Application Server 7 2004Q2 Update 1 is available for download at: http://wwws.sun.com/software/download/products/4154c5a5.html
Sun Java System Application Server Platform Edition 7 Update 5 is available for download at: http://wwws.sun.com/software/download/products/4151fe59.html
Sun Java[tm] System Application Server 7 Standard Edition Update 5 is available for download at: http://wwws.sun.com/software/download/products/414b472d.html
Sun Java System Application Server Standard Edition 7 2004Q2 Update 4
This solution has no attachment