Note: This is an archival copy of Security Sun Alert 201785 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001323.1.
Sun Java Enterprise System 2003Q4
Sun Java Enterprise System 2005Q1
Sun Java Enterprise System 2004Q2
Date of Workaround Release
Date of Resolved Release
A local or remote unprivileged user may be able to cause systems which have installed the Sun Java Enterprise System (JES) along with the patches listed below in Section 2 to become unresponsive or hang. This is a Denial of Service (DoS) due to a memory leak in the Network Security Services (NSS) software which is used by many of the Sun Java Enterprise System components such as the Sun Java System Application Server, the Sun Java System Web Server, and the Sun Java System Portal Server.
NSS is an open source project which adds support for SSL, S/MIME, and other Internet security standards to the Sun Java Enterprise System. Further information about NSS can be found at http://www.mozilla.org/projects/security/pki/nss/
This issue is also described in CVE-2006-3127 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3127
This issue can occur in the following releases:
To determine if the NSS packages are installed on a system, the following command can be run:
% pkginfo SUNWtls
To determine the version of NSS on a system, the following command can be run:
% pkgparam SUNWtls SUNW_PRODVERS
The system will become unresponsive and "hang". Applications on the system, such as Sun Java System Application Server or Sun Java System Web Server will no longer respond to client requests.
To work around the described issue, back out whichever patch necessary (119209-07, 119211-07, 119212-07, 119213-07, 119214-07, 121656-07) according to which operating system version is installed.
This issue is addressed in the following releases:
This solution has no attachment