Note: This is an archival copy of Security Sun Alert 201785 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001323.1.
Article ID : 1001323.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-07-26
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Systems With Sun Java Enterprise System Installed May Hang Due to a Memory Leak in the Network Security Services (NSS) Software



Category
Security

Category
Availability

Release Phase
Resolved

Product
Sun Java Enterprise System 2003Q4
Sun Java Enterprise System 2005Q1
Sun Java Enterprise System 2004Q2

Bug Id
6421471

Date of Workaround Release
13-JUN-2006

Date of Resolved Release
17-JUL-2006

Impact

A local or remote unprivileged user may be able to cause systems which have installed the Sun Java Enterprise System (JES) along with the patches listed below in Section 2 to become unresponsive or hang. This is a Denial of Service (DoS) due to a memory leak in the Network Security Services (NSS) software which is used by many of the Sun Java Enterprise System components such as the Sun Java System Application Server, the Sun Java System Web Server, and the Sun Java System Portal Server.

NSS is an open source project which adds support for SSL, S/MIME, and other Internet security standards to the Sun Java Enterprise System. Further information about NSS can be found at http://www.mozilla.org/projects/security/pki/nss/

This issue is also described in CVE-2006-3127 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3127


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Solaris 8) with patch 119209-07 and without patch 119209-08
  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Solaris 9) with patch 119211-07 and without patch 119211-08
  • Sun Java Enterprise System 2005Q1 (for Solaris 10) with patch 119213-07 and without patch 119213-08

x86 Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Solaris 9) with patch 119212-07 and without patch 119212-08
  • Sun Java Enterprise System 2005Q1 (for Solaris 10) with patch 119214-07 and without patch 119214-08

Linux Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Linux) with patch 121656-07 and without patch 121656-08

Notes:

  1. Sun Java Enterprise System is not available for Solaris 8 on the x86 platform.
  2. Only NSS version 3.11 is impacted by this issue.

To determine if the NSS packages are installed on a system, the following command can be run:

    % pkginfo SUNWtls

To determine the version of NSS on a system, the following command can be run:

    % pkgparam SUNWtls SUNW_PRODVERS

 


Symptoms

The system will become unresponsive and "hang". Applications on the system, such as Sun Java System Application Server or Sun Java System Web Server will no longer respond to client requests.


Workaround

To work around the described issue, back out whichever patch necessary (119209-07, 119211-07, 119212-07, 119213-07, 119214-07, 121656-07) according to which operating system version is installed.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Solaris 8) with patch 119209-08 or later
  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Solaris 9) with patch 119211-08 or later
  • Sun Java Enterprise System 2005Q1 (for Solaris 10) with patch 119213-08 or later

x86 Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Solaris 9) with patch 119212-08 or later
  • Sun Java Enterprise System 2005Q1 (for Solaris 10) with patch 119214-08 or later

Linux Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 (for Linux) with patch 121656-08 or later


Modification History
Date: 17-JUL-2006

17-Jul-2006:

  • Updated Contributing Factors and Resolution sections
  • State: Resolved

Date: 19-JUL-2006

19-Jul-2006:

  • Updated Impact section

Date: 21-JUL-2006

21-Jul-2006:

  • Updated Contributing Factors and Resolution sections


References

119209-08
119211-08
119212-08
119213-08
119214-08
121656-08




Attachments
This solution has no attachment