Note: This is an archival copy of Security Sun Alert 200708 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000560.1.
Article ID : 1000560.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-04-06
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in RSA Signature Verification Affects Sun Java System Application Server, Proxy Server and Web Server



Category
Security

Release Phase
Resolved

Product
Sun Java System Application Server Standard Edition 7 2004Q2
Sun Java System Application Server Platform Edition 8.1 2005Q1
Sun ONE Application Server 7, Standard Edition
Sun Java System Web Proxy Server 4.0
Sun Java System Web Server 6.1
Sun Java System Application Server Enterprise Edition 7 2004Q2
Sun Java System Application Server Enterprise Edition 8.1 2005Q1
Sun ONE Web Server 6.0
Sun Java System Web Proxy Server 3.6

Bug Id
6472033, 6473494, 6528257

Date of Workaround Release
03-NOV-2006

Date of Resolved Release
07-Apr-2008

Sun Java System Application Server, Sun Java System Proxy Server and Sun Java System Web Server are vulnerable (see below for details)

1.Impact

Sun Java System Application Server, Sun Java System Proxy Server and Sun Java System Web Server are vulnerable to an RSA(1) Signature Verification vulnerability which may allow remote unprivileged users to construct certificates with forged signatures that go undetected and are accepted as valid.

This issue is also described in the following documents:

CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620

CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339


2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun ONE Application Server 7 Update 9 and earlier
  • Sun Java System Application Server 7 2004Q2 without Update 6
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-12 or (SVR4) patch 119166-20
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119173-12 or (SVR4) patch 119166-20
  • Sun ONE Web Proxy Server 3.6
  • Sun Java System Proxy Server 4.0 without Service Pack 4
  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 116648-19

x86 Platform

  • Sun ONE Application Server 7 Update 9 and earlier
  • Sun Java System Application Server 7 2004Q2 without Update 6
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 2005 Q1 without (file-based) patch 119170-12 or (SVR4) patch 119167-20
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119174-12 or (SVR4) patch 119167-20
  • Sun Java System Proxy Server 4.0 without Service Pack 4
  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 116649-19

Linux Platform

  • Sun ONE Application Server 7 Update 9 and earlier
  • Sun Java System Application Server 7 2004Q2 without Update 6
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119171-12 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119175-12 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20
  • Sun Java System Proxy Server 4.0 without Service Pack 4
  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7
  • Sun Java System Web Server 6.1 without patch 118202-11

AIX Platform

  • Sun ONE Web Proxy Server 3.6
  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7

HP-UX Platform

  • Sun ONE Web Proxy Server 3.6
  • Sun Java System Proxy Server 4.0 without Service Pack 4
  • Sun Java System Application Server Enterprise Edition 8.1 2005
  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7

Windows Platform

  • Sun ONE Application Server 7 Update 9 and earlier
  • Sun Java System Application Server 7 2004Q2 without Update 6
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119172-12
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119176-12
  • Sun ONE Web Proxy Server 3.6
  • Sun Java System Proxy Server 4.0 without Service Pack 4
  • Sun Java System Web Server 6.0 without Service Pack 11
  • Sun Java System Web Server 6.1 without Service Pack 7

To determine the version of Sun Java System Application Server on a system, the following command can be run:

    $ <AS_INSTALL>/bin/asadmin version --verbose
Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129)

(Where <AS_INSTALL> is the installation directory of the Application Server).

To determine the version of Sun Java System Web Server on a system, the following command can be run:

    $ <WS-install>/https-<host>/start -version

(Where <WS-install> is top installation directory of Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Proxy Server on a system, the following command can be run:

    $ <PS_INSTALL>/bin/ns-proxy -v
    Sun ONE Web Proxy Server 3.6-SP9 B2006.191.1801 SP9

(Where <PS_INSTALL> is the installation directory of the Proxy Server).


3. Symptoms

There are no predictable symptoms that would indicate the described issue has occurred.


4. Workaround

There is no workaround for this issue. Please see the Resolution section below.


5. Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Java System Proxy Server 4.0 with Service Pack 4 or later
  • Sun Java System Application Server 7 2004Q2 with Update 6 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-12 or later or (SVR4) patch 119166-20 or later
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119173-12 or later or (SVR4) patch 119166-20 or later
  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 116648-19 or later

x86 Platform

  • Sun Java System Proxy Server 4.0 with Service Pack 4 or later
  • Sun Java System Application Server 7 2004Q2 with Update 6 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-12 or later or (SVR4) patch 119167-20 or later
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119174-12 later or (SVR4) patch 119167-20 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 116649-19 or later

Linux Platform

  • Sun Java System Proxy Server 4.0 with Service Pack 4 or later
  • Sun Java System Application Server 7 2004Q2 with Update 6 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-12 or later or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20 or later
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119175-12 or later or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20 or later
  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later
  • Sun Java System Web Server 6.1 with patch 118202-11 or later

AIX Platform

  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later

HP-UX Platform

  • Sun Java System Proxy Server 4.0 with Service Pack 4 or later
  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later

Windows Platform

  • Sun Java System Proxy Server 4.0 with Service Pack 4 or later
  • Sun Java System Application Server 7 2004Q2 with Update 6 or later
  • Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119172-12 or later
  • Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119176-12 or later
  • Sun Java System Web Server 6.0 with Service Pack 11 or later
  • Sun Java System Web Server 6.1 with Service Pack 7 or later

Sun Java System Application Server Standard Edition 7 2004Q2 Update 6 is available at http://www.sun.com/download/products.xml?id=468dc166

Sun Java System Application Server Enterprise Edition 7 2004Q2 Update 6 is available at https://sdlc6c.sun.com/ECom/EComActionServlet;jsessionid=FB345EA6DCC80C427133802A4A04AB8C

Sun Java System Proxy Server 4.0 Service Pack 4 is available at http://www.sun.com/download/products.xml?id=45edcffe

Sun Java System Web Server 6.0 Service Pack 11 is available at http://www.sun.com/download/products.xml?id=459db7b2

Sun Java System Web Server 6.1 Service Pack 7 is available at http://www.sun.com/download/products.xml?id=45c90ca9



Modification History
07-Apr-2008: Resolved.

08-NOV-2006
  • Updated Contributing Factors section
21-NOV-2006
  • Updated Contributing Factors and Resolution sections
10-MAR-2007
  • Updated Contributing Factors and Resolution sections
04-APR-2007
  • Updated Contributing Factors and Resolution sections
25-APR-2007
  • Updated Contributing Factors and Resolution sections
31-JUL-2007
  • Updated Contributing Factors and Resolution sections


References

119166-20
119167-20
119168-20
119169-12
119170-12
119171-12
119172-12
119173-12
119174-12
119175-12
119176-12
116648-19
116649-19
118202-11
121524-03
121510-03




Attachments
This solution has no attachment