Bug Id
5069683

Date of Workaround Release
30-AUG-2004

Date of Resolved Release
02-DEC-2004

Impact

A vulnerability exists in the Netscape Network Security Services (NSS) library suite which affects the Sun Java System Web Server and Sun Java System Application Server. This vulnerability may allow a remote unprivileged user to execute arbitrary code on vulnerable systems during SSLv2 connection negotiation.

This issue is described in the following Internet Security Systems Advisory: http://xforce.iss.net/xforce/alerts/id/180

Contributing Factors

This issue can occur in the following releases:

• Sun Java System Web Server 6.0 Service Pack 8 and earlier
• Sun Java System Web Server 6.1 Service Pack 2 and earlier
• Sun Java System Application Server 7.0 Update 4 and earlier
• Sun Java System Application Server 7 2004Q2

Note: All architectures and platforms are impacted by this issue.

Symptoms

There are no visible symptoms that would show the described issue has been exploited.

Workaround

To eliminate the possibility of the described issue from occurring, disable SSLv2 and all associated SSLv2 ciphers as shown below:

For Webserver 6.0:

1. Log into the Administration Server
2. Select the desired server instance from the pull down menu
3. Select the "Preferences" tab and click on the "Edit Listen Sockets" link
4. For the Listen Socket that has SSL enabled, select "Attributes"
5. Under "Ciphers" select "SSL2"
6. Uncheck "SSL version 2" (One may also disable all of the "SSLV2 ciphers" by unselcting them)
7. Click "OK" then "Quit"
8. Click "Apply" in the upper-right corner of the browser
9. Click "Apply Changes" and restart the server
10. Enter the SSL password when prompted

For Webserver 6.1:

1. Log into the Administration Server
2. Select the desired instance from the pull down menu
3. Select the "Preferences" tab and click on the "Edit Listen Sockets" link
4. Click on the desired Listen Socket to be edited
5. Disable "SSLV2" by clicking on the drop box
6. Disable all "SSLV2 ciphers" by unselecting them
7. Click "OK"
8. Click on "Apply" and then "Apply changes"
9. Restart the server and enter the SSL password when prompted

For Appserver 7.0 and 7 2004Q2:

1. Log into the Administration Server
2. Select the desired instance from the pull down menu
3. Expand the HTTP Server node
4. Select the "HTTP Listeners" node
5. Select the desired SSL instance to be edited
6. Uncheck the "SSL2 Enabled" checkbox to disable SSLv2
7. Click "Save"
8. Click on "Apply changes required"
9. Restart the server

Resolution

This issue is addressed in the following releases:

• Sun Java System Web Server 6.0 SP 9 and later
• Sun Java System Web Server 6.1 SP 3 and later
• Sun Java System Application Server 7 2004Q2 Update 1 and later
• Sun Java System Application Server 7 Update 5 and later

Sun Java System Web Server 6.0 SP 9 is available for download at: http://wwws.sun.com/software/download/products/419a6e11.html

Sun Java System Web Server 6.1 SP 3 is available for download at: http://wwws.sun.com/software/download/products/415a094d.html

Sun Java System Application Server 7 2004Q2 Update 1 is available for download at: http://wwws.sun.com/software/download/products/4154c5a5.html

Sun Java System Application Server Platform Edition 7 Update 5 is available for download at: http://wwws.sun.com/software/download/products/4151fe59.html

Sun Java[tm] System Application Server 7 Standard Edition Update 5 is available for download at: http://wwws.sun.com/software/download/products/414b472d.html

Modification History
Date: 25-OCT-2004

• Additions to Contributing Factors and Resolution sections for new information per Engineering

Date: 02-DEC-2004

• State: Resolved
• Updated Resolution section

Product
Sun Java System Application Server Standard Edition 7 2004Q2 Update 4























Attachments

This solution has no attachment