Note: This is an archival copy of Security Sun Alert 200610 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000472.1.
Article ID : 1000472.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-11-08
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability Issue of Forged RSA Signatures for Java Enterprise System and Solaris

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Sun Java Enterprise System 2003Q4
Sun Java Enterprise System 2005Q1
Solaris 8 Operating System
Sun Java Enterprise System 2005Q4
Sun Java Enterprise System 2004Q2

Bug Id
6468495

Date of Workaround Release
25-OCT-2006

Date of Resolved Release
09-NOV-2006

Impact

A vulnerability in the Sun Java Enterprise System (JES) may allow remote unprivileged users to construct certificates with forged signatures that go undetected and are accepted as valid signatures. These unprivileged users may be able to operate servers that falsely pose as other servers or generate forged signatures on emails and software downloads without detection.

This issue is also described in the following documents:

CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620

CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

Note: The issue described in this Sun Alert is specific to Sun Java Enterprise System (JES). Multiple Sun products are affected by this issue; for more details please see Sun Alert 102648


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Java Enterprise System 2003Q4 (for Solaris 8) without patch 114045-14
  • Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 8) without patch 119209-10
  • Sun Java Enterprise System 2003Q4 (for Solaris 9) without patch 114049-14
  • Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) without patch 119211-10
  • Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) without patch 119213-10
  • Solaris 9 without patch 114049-14
  • Solaris 10 without patch 119213-10

x86 Platform

  • Sun Java Enterprise System 2003Q4 (for Solaris 9) without patch 114050-14
  • Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) without patch 119212-10
  • Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) without patch 119214-10
  • Solaris 9 without patch 114050-14
  • Solaris 10 without patch 119214-10

Linux Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for Linux) without patch 121656-10

HP-UX Platform

  • Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) without patch 124379-01

Notes:

  1. Sun Java Enterprise System is not available for Solaris 8 on the x86 platform.
  2. This vulnerability affects all NSS-based SSL clients and S/MIME email programs which use NSS versions below 3.11.3.
  3. This vulnerability also affects products that verify signatures on downloaded files.

Among NSS-based server products, this vulnerability only affects those that:

A) act as SSL clients (including LDAPS clients), or

B) request and accept certificates from remote SSL clients.

This vulnerability stems from the code that verifies RSA signatures of the kind commonly used on X.509 certificates known as "PKCS#1" version 1.5 RSA signatures.

To determine if the NSS packages are installed on a system, the following command can be run:

    % pkginfo SUNWtls

To determine the version of NSS on a system, the following command can be run:

    % pkgparam SUNWtls SUNW_PRODVERS

Symptoms

There are no predictable symptoms that would indicate the described issue has occurred.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Java Enterprise System 2003Q4 (for Solaris 8) with patch 114045-14 or later
  • Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 8) with patch 119209-10 or later
  • Sun Java Enterprise System 2003Q4 (for Solaris 9) with patch 114049-14 or later
  • Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) with patch 119211-10 or later
  • Solaris 9 with patch 114049-14 or later
  • Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with patch 119213-10 or later
  • Solaris 10 with patch 119213-10 or later

x86 Platform

  • Sun Java Enterprise System 2003Q4 (for Solaris 9) with patch 114050-14 or later
  • Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) with patch 119212-10 or later
  • Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with patch 119214-10 or later
  • Solaris 9 with patch 114050-14 or later
  • Solaris 10 with patch 119214-10 or later

Linux Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for Linux) with patch 121656-10 or later

HP-UX Platform

  • Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) with patch 124379-01 or later

A final resolution is pending completion.



Modification History
Date: 08-NOV-2006

08-Nov-2006:

  • Updated Contributing Factors and Resolution sections

Date: 09-NOV-2006

09-Nov-2006:

  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

119209-10
119211-10
119212-10
119213-10
119214-10
121656-10
124379-01
114049-14
114045-14
114050-14
114049-14
114050-14




Attachments
This solution has no attachment