[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HP-UX 10.24 (VVOS) Sicheerheitsbulletin zu SSL (VirtualVault, Netscape)

To: win-sec-ssc@xxxxxxxxxxx
Subject: HP-UX 10.24 (VVOS) Sicheerheitsbulletin zu SSL (VirtualVault, Netscape)
From: win-sec-ssc@xxxxxxxxxxx
Date: Thu, 13 Aug 1998 13:47:01 +0200 (MET DST)
Organization: DFN-CERT (Computer Emergency Response Team, Germany)

-----BEGIN PGP SIGNED MESSAGE-----

Hallo,

wir hatten Sie vor ca. 2 Monaten auf eine Schwachstelle in einigen SSL-
Implementationen hingewiesen. Betroffen hiervon waren auch diverse Netscape
Produkte betroffen (eine ausfuehrlichere Beschreibung gibt es im Web unter
http://help.netscape.com/products/server/ssldiscovery/index.html).

Heute erreicht uns das nachfolgende HP Bulletin, in dem auch noch einmal
auf diese Schwachstelle hingewiesen wird, da der Netscape Enterprise Server
Release 2.01 Bestandteil der Pakete VirtualVault A.02.00 und A.03.00 ist.

Wir geben diese Informationen unveraendert an sie weiter.

Mit freundlichen Gruessen
  Wolfgang Ley (DFN-CERT)
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley@xxxxxxxxxxx   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@xxxxxxxxxxxxxxx any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

===========================================================================
- -------------------------------------------------------------------------
      HEWLETT-PACKARD SECURITY BULLETIN: #00082 12 August 1998
- -------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

- -------------------------------------------------------------------------
PROBLEM:  The Million Question vulnerability affects the use of RSA Data
          Security encryption algorithms with Netscape server products
          that support Secure Sockets Layer (SSL). The nature of the
          vulnerability is that a single encrypted SSL network
          conversation could be recorded and subsequently decrypted.
          The Netscape Enterprise Server Release 2.01 is embedded in
          the VirtualVault A.02.00 and A.03.00 releases.

PLATFORM: HP9000 Series 7/800 running:
          HP-UX 10.24 (VVOS) with VirtualVault A.02.00 (NES 2.01 embedded)
          HP-UX 10.24 (VVOS) with VirtualVault A.03.00 (NES 2.01 embedded)

DAMAGE:   A cryptanalytic vulnerability could potentially be used to
          discover the key for a particular encrypted session through
          a process of repeatedly sending on the order of one million
          carefully constructed messages to a target server and observing
          the server's response.

SOLUTION: Apply the appropriate VirtualVault Patch noted below.

AVAILABILITY: All patches for the VirtualVault releases 2.0 and 3.0 are
              available now from HP.
- -------------------------------------------------------------------------
I.
  A. Background
     According to RSA Data Security, Inc., this potential attack against
     secure Web communications is currently the subject of research and
     has not been reported by any users.

     CERT has made a technical advisory (CA-98.07.PKCS) on this
     vulnerability available at http://www.cert.org/.

  B. Recommended solution

     This problem can be eliminated by installing the recommended patch.
     Hewlett-Packard recommends that the following patches be loaded
     as applicable:

     HP-UX 10.24 (VVOS) with VirtualVault A.02.00 (US/Canada): PHSS_15993
     HP-UX 10.24 (VVOS) with VirtualVault A.02.00 (Export): PHSS_15994
     HP-UX 10.24 (VVOS) with VirtualVault A.03.00 (US/Canada): PHSS_15935
     HP-UX 10.24 (VVOS) with VirtualVault A.03.00 (Export): PHSS_15936

     Customers running the Export version of VirtualVault (B5410AA,
     B5410BA, B5412AA, B5412BA) may download the patch PHSS_15994 or
     PHSS_15936 from the Electronic Support Center or request a tape from
     their local Response Center.
     Customers running the US/Canada version of VirtualVault (B5409AA,
     B5409BA, B5411AA, B5411BA) who reside in the US or Canada can request
     a tape of patch PHSS_15993 or PHSS_15935 from their local Response
     Center.
     Customers running the US/Canada version of VirtualVault outside of
     the US and Canada will be shipped the patch directly.

  C. Impact of the patch

     Applying patches PHSS_15993, PHSS_15994, PHSS_15935 or PHSS_15936
     eliminates the vulnerability in the Netscape Enterprise Server yet
     does not otherwise impact the system.

  D. To subscribe to automatically receive future NEW HP Security
     Bulletins from the HP Electronic Support Center via electronic
     mail, do the following:

     Use your browser to get to the HP Electronic Support Center page at:

       http://us-support.external.hp.com
              (for US, Canada, Asia-Pacific, & Latin-America)
       http://europe-support.external.hp.com     (for Europe)

     Login with your user ID and password (or register for one).
     Remember to save the User ID assigned to you, and your password.
     Once you are in the Main Menu:
      To -subscribe- to future HP Security Bulletins,
        click on "Support Information Digests".
      To -review- bulletins already released from the main Menu,
        click on the "Technical Knowledge Database (Security Bulletins
        only)".
     Near the bottom of the next page, click on "Browse the HP Security
     Bulletin Archive".
     Once in the archive there is another link to our current Security
     Patch Matrix.  Updated daily, this matrix is categorizes security
     patches by platform/OS release, and by bulletin topic.


  E. To report new security vulnerabilities, send email to

         security-alert@xxxxxx

     Please encrypt any exploit information using the security-alert
     PGP key, available from your local key server, or by sending a
     message with a -subject- (not body) of 'get key' (no quotes) to
     security-alert@xxxxxxx

    Netscape, Messaging, Collabora, FastTrack/Enterprise Server and
    Netscape Server are trademarks of Netscape Communications Corp.

    Permission is granted for copying and circulating this Bulletin to
    Hewlett-Packard (HP) customers (or the Internet community) for the
    purpose of alerting them to problems, if and only if, the Bulletin
    is not edited or changed in any way, is attributed to HP, and
    provided such reproduction and/or distribution is performed for
    non-commercial purposes.

    Any other use of this information is prohibited. HP is not liable
    for any misuse of this information by any third party.
________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQEVAwUBNdLSJsvEMj/EqWIlAQGWBgf7BnZ1n6JZ02aC1auGacV36ERimbfOt1bO
MOBRZoo8jlmEY2DSi0NDj68YS6kaTuONhhXoco/Ugxpb9jjtImEvnkzxUn17IaEQ
lzLXB1sTkC96n9qSx6oFzV3q/EhAYetW9RKQnOXOK0OfpnmMFZWVQRF5rHFjKquS
zWeqTMBqx18yWppvf4lwfBVQwpv4kRmDg30MT2uMSZenDMpdCmPWICNxCS9AjmOQ
XuXp8eXFZDKQj2AG6+MtVGBVOk8upbg0/Qy9cbb50lW8i/1qYFhoYGYv+Imk3eQ3
Z/TH8drSAdkHP35a9TNASmYw97hTcL+/JczmN/hnnzE7t0Wjd8DfLw==
=4bnz
-----END PGP SIGNATURE-----

Prev by Date: Update: Microsoft Outlook 98 und Outlook Express Schwachstelle
Next by Date: Cisco Resource Manager (CRM) Sicherheitsprobleme beim Anlegen temporaerer Dateien
Previous by thread: Update: Microsoft Outlook 98 und Outlook Express Schwachstelle
Next by thread: Cisco Resource Manager (CRM) Sicherheitsprobleme beim Anlegen temporaerer Dateien
Index(es):
- Date
- Thread