Note: This is an archival copy of Security Sun Alert 201452 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001093.1.
Article ID : 1001093.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in SSL/TLS Block Ciphers may affect Sun ONE/iPlanet Web Server and Application Server

Category
Security

Release Phase
Resolved

Bug Id
4828761

Date of Workaround Release
06-MAY-2003

Date of Resolved Release
05-AUG-2003

Impact

In Sun ONE Application Server or Sun ONE/iPlanet Web Server, it may be possible under certain circumstances to gather information about the data transmitted over a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) channel. This vulnerability is due to the way error handling is implemented with Cipher Block Chaining (CBC) mode ciphers in SSL and TLS and has been described in: 

	http://www.mozilla.org/projects/security/pki/nss/news/vaudenay-cbc.html

The described issue does not expose private or session keys. This issue primarily affects TLS rather than SSL version 3.


Contributing Factors

This issue may occur in the following releases:

  • Sun ONE/iPlanet Web Server 6.0 Service Pack 1 through 5
  • Sun ONE Application Server 7.0

Note: All architectures and platforms are impacted by this issue.

For supported architectures and OS versions see:


Symptoms

There are no visible symptoms that would show the described issue has been exploited.


Workaround

To workaround the descibed issue follow the steps below:

Sun ONE/iPlanet Web Server 6.0 Service Pack 1 through 5

Disable TLS or disable the following ciphers : 

	Fortezza with 80 bit encryption and SHA message authentication
	DES with 56 bit encryption and SHA message authentication
	RC2 with 40 bit encryption and MD5 message authentication
	(FIPS) Triple DES with 168 bit encryption and SHA message authentication
	(FIPS) DES with 56 bit encryption and SHA message authentication
	Triple DES with 168 bit encryption and SHA message authentication

To Disable TLS or disable the above ciphers: 

	Login to the admin server and click on the instance to be managed
	Click on preferences -> Edit listen sockets
	Click on the attributes for the listen socket to be edited
	click on attributes
	click on SSL2 and SSL3/TLS to disable TLS or above mentioned ciphers

Sun ONE Application Server 7.0

Disable TLS or disable the following ciphers: 

	rsa_3des_sha
	rsa_des_sha
	rsa_rc2_40_md5
	rsa_des_56_sha

To disable TLS or disable the above ciphers: 

	Login to the admin server and click on App server instances
	Click on the server to disable the TLS or ciphers
	Click on HTTP Server
	Click HTTP Listeners -http-listener-x and the values will be seen
	in the right frame

Resolution

This issue is addressed in the following releases:

  • Sun ONE/iPlanet Web Server 6.0 Service Pack 6 and later
  • Sun ONE Application Server 7.0 Update Release 1 and later

The above releases are available for download at:

Sun ONE/iPlanet Web Server 6.0 Service Pack 6

Sun ONE Application Server 7.0 Update Release 1



Modification History
Date: 08-MAY-2003
  • Updated Contributing Factors

Date: 05-AUG-2003
  • State: Resolved
  • Updated Resolution section



Product
Sun ONE Web Server 6.1 (Localized)
iPlanet Web Server 6.0 Enterprise Edition































Attachments
This solution has no attachment