Note: This is an archival copy of Security Sun Alert 274990 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021752.1.
Article ID : 1021752.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-03-04
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java Enterprise System Suite

Category
Security

Release Phase
Workaround

Bug Id
6899619, 6898371, 6899486, 6900117

Product
Sun Java System Web Server 6.1
Sun Java System Web Server 7.0
Sun Java System Web Proxy Server 4.0
Sun Java System Application Server Enterprise Edition 8.2
Sun GlassFish Enterprise Server v2.1
Sun Java System Directory Server 5.2
Sun Java System Directory Server Enterprise Edition 6.0
Sun Java System Directory Server Enterprise Edition 6.1
Sun Java System Directory Server Enterprise Edition 6.2
Sun Java System Directory Server Enterprise Edition 6.3

Date of Workaround Release
07-Jan-2010

Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java Enterprise System Suite

1. Impact

A security vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of session renegotiations affects Network Security Services (NSS) libraries bundled with the following products:
 
- Sun Java System Web Server
- Sun Java System Web Proxy Server
- Sun Java System Application Server
- Sun GlassFish Enterprise Server
- Sun Java System Directory Server Enterprise Edition

Systems running these server applications are susceptible to a man-in-the-middle attack whereby a remote unauthenticated user with the ability to intercept and control network traffic may send unauthenticated request at the beginning of an HTTPS session that is processed retroactively by the server. The vulnerability does not allow one to decrypt the HTTPS responses or requests in the session.

Systems running Sun Java System Directory Server Enterprise Edition product are also vulnerable to a man-in-the-middle scenario where a remote unauthenticated user may send appropriated request at the beginning of an LDAP session which causes the directory server to process the LDAP operation.

This issue is referenced in the following document:


Sun acknowledges with thanks, Marsh Ray and Steve Dispensa of PhoneFactor for bringing this issue to our attention.

Please also see Sun Alert 273350 that describes this issue in NSS libraries provided with Solaris and Sun Java System Enterprise System 5.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Sun Java System Web Server 6.1 without patch 116648-24
  • Sun Java System Web Server 6.1 without Service Pack 12
  • Sun Java System Web Server 7.0 without patch 125437-18
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 without patch 120981-20
  • Sun Java System Application Server 8.0 (Enterprise Edition) without patch 124672-14
  • Sun Java System Application Server 8.1 (Enterprise Edition SVR4) without patch 119166-40
  • Sun Java System Application Server 8.1 (Enterprise Edition File Based) without patch 119169-33
  • Sun Java System Application Server 8.2 (Enterprise Edition SVR4)
  • Sun Java System Application Server 8.2 (Enterprise Edition File Based) without patch 124675-13
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based without patch 128640-15 (for customers with valid support contract) or 141709-03 (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128643-15 (for customers with valid support contract) or 141700-03 (for customers without valid support contract)
x86 Platform
  • Sun Java System Web Server 6.1 without patch 116649-24
  • Sun Java System Web Server 6.1 without Service Pack 12
  • Sun Java System Web Server 7.0 without patch 125438-18
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 without patch 120982-20
  • Sun Java System Application Server 8.0 (Enterprise Edition) without patch 124673-14
  • Sun Java System Application Server 8.1 (Enterprise Edition SVR4) without patch 119167-40
  • Sun Java System Application Server 8.1 (Enterprise Edition File Based) without patch 119170-33
  • Sun Java System Application Server 8.2 (Enterprise Edition SVR4)
  • Sun Java System Application Server 8.2 (Enterprise Edition File Based) without patch 124676-13
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based without patch 128641-15 (for customers with valid support contract) or 141710-03 (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128644-15 (for customers with valid support contract) or 141701-03 (for customers without valid support contract)
Linux
  • Sun Java System Web Server 6.1 without patch 118202-16
  • Sun Java System Web Server 6.1 without Service Pack 12
  • Sun Java System Web Server 7.0 125439-16
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 without patch 120983-20
  • Sun Java System Application Server 8.0 (Enterprise Edition) without patch 124674-14
  • Sun Java System Application Server 8.1 (Enterprise Edition Package Based) without patch 119168-40
  • Sun Java System Application Server 8.1 (Enterprise Edition File Based) without patch 119171-33
  • Sun Java System Application Server 8.2 (Enterprise Edition Package Based)
  • Sun Java System Application Server 8.2 (Enterprise Edition File Based) without patch 124677-13
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based without patch 128642-15 (for customers with valid support contract) or 141711-03 (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128645-15 (for customers with valid support contract) or 141702-03 (for customers without valid support contract)
HP-UX
  • Sun Java System Web Server 6.1 without patch 121510-08
  • Sun Java System Web Server 6.1 without Service Pack 12
  • Sun Java System Web Server 7.0 125440-16
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 without patch 123532-09
Windows
  • Sun Java System Web Server 6.1 without patch 121524-08
  • Sun Java System Web Server 6.1 without Service Pack 12
  • Sun Java System Web Server 7.0 without patch 125441-18
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 without patch 126325-10
  • Sun Java System Application Server 8.0 (Enterprise Edition) without patch 124684-15
  • Sun Java System Application Server 8.1 (Enterprise Edition Package based) without patch 122848-25
  • Sun Java System Application Server 8.1 (Enterprise Edition File Based) without patch 119172-33
  • Sun Java System Application Server 8.2 (Enterprise Edition Package based)
  • Sun Java System Application Server 8.2 (Enterprise Edition File based) without patch 124678-13
  • Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128646-15 (for customers with valid support contract) or 141703-03 (for customers without valid support contract)
and also in the following releases:

Sun Java System Directory Server 5.2 PatchZIP (Compressed Archive) Versions for Solaris 8, 9 and 10 on SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX:
  • Sun ONE Directory Server 5.2 without patch 142806-02
Sun Java System Directory Server Enterprise Edition PatchZIP (Compressed Archive) Versions for Solaris 9 and 10 on SPARC and x86 Platform, HP-UX, Linux, and Windows:
  • Sun Java System Directory Server Enterprise Edition 6.0 through 6.3.1 without patch 142807-02
Notes:

1. Sun GlassFish Enterprise Server v2.1.1 was formerly referred to as Sun GlassFish Enterprise Server v2.1 patch 6 also known as Sun Java System Application Server 9.1 patch 12.

2. Sun Java System Application Server (Platform Edition) and Sun GlassFish Enterprise Server without HADB are not impacted by this issue.

To determine the version of Sun Java System Web Proxy Sever on a system, the following command can be run:
$ <ps_install>/bin/proxy/bin/proxyd -v
Sun Microsystems, Inc.
Sun Java System Web Proxy Server 4.0.6 B05/12/2007 13:24
(Where <ps_install> is the installation directory of the Proxy Server).

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run:
$ <WS-install>/https-<host>/start -version
(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is
installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run:
$ <WS-install>/bin/wadm --version
(Where <WS-install> is the installation directory of the Web Server).

To determine the version of Sun GlassFish Enterprise Server or Application Server on a system, the following command can be run:
$ <AS-install>/bin/asadmin version
(Where <AS-install> is the installation directory of the Application Server).

To determine if the Directory Server running on a system is affected, the following command can be used:

Sun Java System Directory Server 5.2:

On Solaris, Linux, HP-UX, and AIX systems:
$ cd <installation directory>/bin/slapd/server
$ ./ns-slapd -V -D <instance-directory>
On 64-bit Solaris:
$ cd <installation directory>/bin/slapd/server/64
$ ./ns-slapd -V -D <instance-directory>
On Windows systems:
cd <installation directory>/bin/slapd/server
slapd.exe -V -D <instance-directory>
If the output contains the version string 5.2, the system is affected by this issue.

Sun Java System Directory Server Enterprise Edition:
$ dsadm -V
If the output contains the version string 6.0, 6.1, 6.2, 6.3 or 6.3.1, the system is affected by this issue.

3. Symptoms

There are no predictable symptoms that would indicate this issue has been exploited.

4. Workaround

To workaround the issue in Sun Java System Web Server, a client certificate can be obtained during the initial connection handshake. This mode can be configured by setting the client-auth element to 'required' in server.xml, as in the following example:

<http-listener>
    <ssl>
        <client-auth>required</client-auth>
    </ssl>
</http-listener>

There is no workaround for this issue for the other server products. Please see the 'Resolution' section below.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Sun Java System Web Server 6.1 with patch 116648-24 or later
  • Sun Java System Web Server 6.1 with Service Pack 12 or later
  • Sun Java System Web Server 7.0 with patch 125437-18 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 with patch 120981-20 or later
  • Sun Java System Application Server 8.0 (Enterprise Edition) with patch 124672-14 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition SVR4) with patch 119166-40 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition file based) with patch 119169-33 or later
  • Sun Java System Application Server 8.2 (Enterprise Edition File Based) with patch 124675-13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128640-15 or later (for customers with valid support contract) or 141709-03 or later for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128643-15 or later (for customers with valid support contract) or 141700-03 or later (for customers without valid support contract)
x86 Platform
  • Sun Java System Web Server 6.1 with patch 116649-24 or later
  • Sun Java System Web Server 6.1 with Service Pack 12 or later
  • Sun Java System Web Server 7.0 with patch 125438-18 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 with patch 120982-20 or later
  • Sun Java System Application Server 8.0 (Enterprise Edition) with patch 124673-14 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition SVR4) with patch 119167-40 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition file based) with patch 119170-33 or later
  • Sun Java System Application Server 8.2 (Enterprise Edition File Based) with patch 124676-13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128641-15 or later (for customers with valid support contract) or 141710-03 or later (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128644-15 or later (for customers with valid support contract) or 141701-03 or later (for customers without valid support contract)
Linux
  • Sun Java System Web Server 6.1 with patch 118202-16 or later
  • Sun Java System Web Server 6.1 with Service Pack 12 or later
  • Sun Java System Web Server 7.0 with patch 125439-16 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 with patch 120983-20 or later
  • Sun Java System Application Server 8.0 (Enterprise Edition) with patch 124674-14 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition Package Based) with patch 119168-40 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition File Based) with patch 119171-33 or later
  • Sun Java System Application Server 8.2 (Enterprise Edition File Based) with patch 124677-13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128642-15 or later (for customers with valid support contract) or 141711-03 or later (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128645-15 or later (for customers with valid support contract) or 141702-03 or later (for customers without valid support contract)
HP-UX
  • Sun Java System Web Server 6.1 with patch 121510-08 or later
  • Sun Java System Web Server 6.1 with Service Pack 12 or later
  • Sun Java System Web Server 7.0 with patch 125440-16 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 with patch 123532-09 or later
Windows
  • Sun Java System Web Server 6.1 with patch 121524-08 or later
  • Sun Java System Web Server 6.1 with Service Pack 12 or later
  • Sun Java System Web Server 7.0 with patch 125441-18 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Proxy Server 4.0 through 4.0.12 with patch 126325-10 or later
  • Sun Java System Application Server 8.0 (Enterprise Edition) with patch 124684-15 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition Package based) with patch 122848-25 or later
  • Sun Java System Application Server 8.1 (Enterprise Edition File Based) with patch 119172-33 or later
  • Sun Java System Application Server 8.2 (Enterprise Edition File Based) with patch 124678-13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128646-15 or later (for customers with valid support contract) or 141703-03 or later (for customers without valid support contract)
This issue is addressed in the following release for Sun Java System Directory Server 5.2 PatchZIP (Compressed Archive) Versions for Solaris 8, 9 and 10 on SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX:
  • Sun Java System Directory Server 5.2 Patch 6 with patch 142806-02 or later
Systems with Sun Java System Directory Server 5.2 versions before 5.2 Patch 6 are recommended to upgrade to 5.2 Patch 6 and then install the resolution patch listed above.

The upgrade procedure is described in "Sun Java System Directory Server 5.2 Patch 6 Release Notes" in the Installation Chapter at :


This issue is addressed in the following release for Sun Java System Directory Server PatchZIP (Compressed Archive) Versions 6.0 through 6.3.1 for Solaris 9 and 10 on SPARC, x86 and x64 platforms, Linux, HP-UX and Windows:
  • Sun Java System Directory Server Enterprise Edition 6.3.1 with patch 142807-02 or later
Systems with Sun Java System Directory Server Enterprise Edition versions before 6.3.1 are recommended to upgrade to 6.3.1 and then install the resolution patch listed above.

The upgrade procedure is described in "Sun Java System Directory Server Enterprise Edition 6.3.1 Release Notes" in Chapter 2 at:



A final resolution is pending completion.

For more information on Security Sun Alerts, see 1009886.1.


Modification History
11-Jan-2010: Updated Contributing Factors and Resolution sections
13-Jan-2010: Updated Contributing Factors and Resolution sections
28-Jan-2010: Updated Impact Statement
04-Feb-2010: Updated Contributing Factors and Resolution sections for Linux and Windows patches
10-Feb-2010: Add BugID 6899486, Update Contributing Factors and Resolution sections for addition of Sun Java Sytem Directory Server and related patches

23-Feb-2010: Add BugID 6900117, added patches for Application Server 8.1, patches released for Web Server 6.1, updated Contributing Factors and Resolution sections for all patches released
05-Mar-2010: Patches released for Ent Server 8.0, updated Contributing Factors and Resolution sections








Attachments
This solution has no attachment