|
Note: This is an archival copy of Security Sun Alert 201350 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001023.1. |
Category Security Release Phase Resolved Sun Java Enterprise System 5 Solaris 9 Operating System Solaris 10 Operating System Sun Java Enterprise System 2003Q4 Sun Java Enterprise System 2005Q1 Sun Java Enterprise System 2005Q4 Sun Java Enterprise System 2004Q2 Bug Id 6507762 Date of Resolved Release 29-MAR-2007 Impact Security vulnerabilities in the Network Security Services (NSS) implementation of SSL2 may affect both SSL clients (such as browsers) and SSL servers which make use of this library. As a result, the client or server may exit unexpectedly, which is a type of Denial of Service (DoS). For servers running on Microsoft Windows, they may present a remote code execution vulnerability. These vulnerabilities are in NSS's implementation of SSL2, not in the SSL2 protocol itself. Note: NSS is a set of libraries that implement SSL2, SSL 3.0 and TLS (SSL 3.1). NSS is widely used. It is used in the Mozilla family of browsers offered by Sun to Solaris users. It is also used in the "Java Enterprise Server" (JES) family of server products, including Web server, Directory Server, Messaging Server, Application Server, Portal Server, and others. It is used for the built-in LDAPS client in Solaris 9 and 10 which may be used as part of the Solaris login program. This issue is also described in the following documents:
Contributing Factors These issues can occur in the following releases: SPARC Platform
x86 Platform
Linux Platform
HP-UX Platform
Windows Platform
Note 1: Sun Java Enterprise System is not supported on Solaris 8 x86. Note 2: SSL2 is the oldest of the SSL/TLS family of security protocols, and it is now widely regarded as comparatively weak and obsolete. It is therefore recommended that sites move away from SSL2 to SSL 3.0 or TLS. To determine if the NSS packages are installed on a system, the following command can be run: % pkginfo SUNWtls To determine the version of NSS on a system, the following command can be run: % pkgparam SUNWtls SUNW_PRODVERS Systems affected by this issue have NSS version of 3.11.4 or earlier. Symptoms There are no reliable symptoms that would indicate the described issues have been exploited. Workaround To work around the described issue, disable SSL2 in the products that use NSS. Disabling SSL2 will force NSS to use SSL 3.0 and/or SSL 3.1 (TLS). The exact procedures to disable SSL2 varies from product to product. Browsers have panels of "preferences" in which SSL2 can be disabled. Servers have various administration tools including command line tools, GUI tools, and separate administration servers (web servers) that are accessed through a browser. Note 1: FireFox 2.0 already has SSL2 disabled by default. Note 2: Due to the weak security status of SSL2, customers are advised to disable SSL2 and leave it disabled, even when a fix for this vulnerability is available from Sun. Resolution These issues are addressed in the following releases: SPARC Platform
x86 Platform
Linux Platform
HP-UX Platform
Windows Platform
Sun Java Enterprise System 2005Q1 systems should either apply the workaround described in section 4: "Relief/Workaround" or upgrade to Sun Java Enterprise System 5 and apply patch 125923-01. Modification History Date: 13-JUL-2007
References125358-01119211-12 119213-12 125359-01 119212-12 119214-12 121656-12 124379-03 125923-01 119209-12 Attachments This solution has no attachment | |||||||||||||||
|
|