[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sun] UPDATE: Schwachstelle im Java Enterprise System - 102656
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.
Bitte beachten Sie, dass dies ein Update des Advisories ist, das die
folgenden Aenderungen betrifft:
Mit diesem Update gibt Sun die Verfuegbarkeit von Patches fuer Solaris
9 auf x86 Plattformen bekannt.
CVE-2006-4339 / CVE-2006-4340 / CVE-2006-4790 / MFSA 2006-60 -
Schwachstelle beim Ueberpruefen von RSA Signaturen
Einige X.509 Implementierungen ueberpruefen in einer RSA Signatur
nicht ausreichend, ob auf den Hashwert innerhalb des PKCS.1 Felds noch
weitere Daten folgen. Ein Angreifer kann diese Schwachstelle
ausnutzen, um Daten, welche eine gefaelschte Signatur besitzen, als
korrekt signiert verifizieren zu lassen.
Die Schwachstelle CVE-2006-4339 betrifft OpenSSL, CVE-2006-4790 GnuTLS,
CVE-2006-4340 Network Security Services (NSS). Sun Bug ID 6466389
betrifft das JDK.
Betroffen sind die folgenden Software Pakete und Plattformen:
SPARC Platform
- Sun Java Enterprise System 2003Q4 (Solaris 8)
- Sun Java Enterprise System 2004Q2, 2005Q1 und 2005Q4 (Solaris 8) vor
Patch 119209-10
- Sun Java Enterprise System 2003Q4 (Solaris 9)
- Sun Java Enterprise System 2004Q2, 2005Q1 und 2005Q4 (Solaris 9) vor
Patch 119211-10
- Sun Java Enterprise System 2005Q1 and 2005Q4 (Solaris 10) vor Patch
119213-10
- Solaris 9 vor Patch 114049-14
- Solaris 10 vor Patch 119213-10
x86 Platform
- Sun Java Enterprise System 2003Q4 (Solaris 9)
- Sun Java Enterprise System 2004Q2, 2005Q1 und 2005Q4 (Solaris 9) vor
Patch 119212-10
- Sun Java Enterprise System 2005Q1 und 2005Q4 (Solaris 10) vor Patch
119214-10
- Solaris 9 vor Patch 114050-14
- Solaris 10 vor Patch 119214-10
Linux Platform
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 und 2005Q4 (Linux)
vor Patch 121656-10
HP-UX Platform
- Sun Java Enterprise System 2005Q1 and 2005Q4 (HP-UX) vor Patch 124379-01
Solaris 8,9 und 10 (SPARC und x86)
Linux
HP-UX
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102656-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
- --
Andreas Bunten (CSIRT), DFN-CERT Services GmbH
https://www.dfn-cert.de/, +49 40 808077-617
Sun(sm) Alert Notification
* Sun Alert ID: 102656
* Synopsis: Security Vulnerability Issue of Forged RSA Signatures for Java
Enterprise System and Solaris
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System, Sun
Java Enterprise System 2003Q4, Sun Java Enterprise System 2005Q1,
Solaris 8 Operating System, Sun Java Enterprise System 2005Q4, Sun Java
Enterprise System 2004Q2
* BugIDs: 6468495
* Avoidance: Patch
* State: Resolved
* Date Released: 25-Oct-2006, 09-Nov-2006
* Date Closed: 09-Nov-2006
* Date Modified: 08-Nov-2006, 09-Nov-2006
1. Impact
A vulnerability in the Sun Java Enterprise System (JES) may allow remote
unprivileged users to construct certificates with forged signatures that go
undetected and are accepted as valid signatures. These unprivileged users
may be able to operate servers that falsely pose as other servers or
generate forged signatures on emails and software downloads without
detection.
This issue is also described in the following documents:
CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620
CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
Note: The issue described in this Sun Alert is specific to Sun Java
Enterprise System (JES). Multiple Sun products are affected by this issue;
for more details please see Sun Alert 102648 at
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun Java Enterprise System 2003Q4 (for Solaris 8) without patch
114045-14
* Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 8)
without patch 119209-10
* Sun Java Enterprise System 2003Q4 (for Solaris 9) without patch
114049-14
* Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9)
without patch 119211-10
* Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) without
patch 119213-10
* Solaris 9 without patch 114049-14
* Solaris 10 without patch 119213-10
x86 Platform
* Sun Java Enterprise System 2003Q4 (for Solaris 9) without patch
114050-14
* Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9)
without patch 119212-10
* Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) without
patch 119214-10
* Solaris 9 without patch 114050-14
* Solaris 10 without patch 119214-10
Linux Platform
* Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for Linux)
without patch 121656-10
HP-UX Platform
* Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) without patch
124379-01
Notes:
1. Sun Java Enterprise System is not available for Solaris 8 on the x86
platform.
2. This vulnerability affects all NSS-based SSL clients and S/MIME email
programs which use NSS versions below 3.11.3.
3. This vulnerability also affects products that verify signatures on
downloaded files.
Among NSS-based server products, this vulnerability only affects those that:
A) act as SSL clients (including LDAPS clients), or
B) request and accept certificates from remote SSL clients.
This vulnerability stems from the code that verifies RSA signatures of the
kind commonly used on X.509 certificates known as "PKCS#1" version 1.5 RSA
signatures.
To determine if the NSS packages are installed on a system, the following
command can be run:
% pkginfo SUNWtls
To determine the version of NSS on a system, the following command can be
run:
% pkgparam SUNWtls SUNW_PRODVERS
3. Symptoms
There are no predictable symptoms that would indicate the described issue
has occurred.
Solution Summary Top
4. Relief/Workaround
There is no workaround for this issue. Please see the Resolution section
below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Sun Java Enterprise System 2003Q4 (for Solaris 8) with patch 114045-14
or later
* Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 8)
with patch 119209-10 or later
* Sun Java Enterprise System 2003Q4 (for Solaris 9) with patch 114049-14
or later
* Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9)
with patch 119211-10 or later
* Solaris 9 with patch 114049-14 or later
* Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with patch
119213-10 or later
* Solaris 10 with patch 119213-10 or later
x86 Platform
* Sun Java Enterprise System 2003Q4 (for Solaris 9) with patch 114050-14
or later
* Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9)
with patch 119212-10 or later
* Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with patch
119214-10 or later
* Solaris 9 with patch 114050-14 or later
* Solaris 10 with patch 119214-10 or later
Linux Platform
* Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for Linux)
with patch 121656-10 or later
HP-UX Platform
* Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) with patch
124379-01 or later
A final resolution is pending completion.
Change History
08-Nov-2006:
* Updated Contributing Factors and Resolution sections
09-Nov-2006:
* Updated Contributing Factors and Resolution sections
* State: Resolved
This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third
parties. The issues described in this Sun Alert notification may or may not
impact your system(s). Sun makes no representations, warranties, or
guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
proprietary and confidential information. It is being provided to you
pursuant to the provisions of your agreement to purchase services from Sun,
or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
Alert notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRVRGp/BT2+ukQ5RFAQGlWAf+L+15ciKMTcyC3bix7J2qd/3YPCG2tC8s
Zi2W2Xt6zhAsUewra9xjxIEbmV027lp1A71gjHgrMBFD2z+I/y9ZhnnuNLu1Abfx
peFcV0HnwneCz3rJ8Nzs75yc3ZlVSqTWiOlS0FfsZ6gGrEkPLZWbvdOVVr/I0O3p
homr4cu2UyUtJhJNG7rb2g7Mr3KixvTHEzlmIl2UvAgU0maF9tUvVP8iFwL/CT37
ddmsvIWAbN3Jna+CHAnmOXImsDf9RO6mMqPejJjfOwtVM4FSWqQ9GS/h6h5fV1kP
HI5iCxjNk45u+HDqrv2EwdT0yuAX3WjUSP3myjfLmxvvw7nOjyvm+g==
=+wm/
-----END PGP SIGNATURE-----