[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sun] UPDATE: Schwachstelle in der Ueberpruefung von RSA Signaturen in Java Servern - Sun Alert ID 102696
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.
Bitte beachten Sie, dass dies ein Update des Advisories ist, das die
folgenden Aenderungen betrifft:
Mit diesem Update werden Patches fuer den Sun Java System Application
Server 8.1 (Enterprise und Platform Edition) auf allen Plattformen
herausgebracht.
CVE-2006-4339 / CVE-2006-4340 / CVE-2006-4790 / MFSA 2006-60 -
Schwachstelle beim Ueberpruefen von RSA Signaturen
Einige X.509 Implementierungen ueberpruefen in einer RSA Signatur
nicht ausreichend, ob auf den Hashwert innerhalb des PKCS.1 Felds noch
weitere Daten folgen. Ein Angreifer kann diese Schwachstelle
ausnutzen, um Daten, welche eine gefaelschte Signatur besitzen, als
korrekt signiert verifizieren zu lassen.
Die Schwachstelle CVE-2006-4339 betrifft OpenSSL, CVE-2006-4790 GnuTLS,
CVE-2006-4340 Network Security Services (NSS). Sun Bug ID 6466389
betrifft das JDK.
Betroffen sind die folgenden Software Pakete und Plattformen:
SPARC Plattform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
ohne Patch 119169-12 bzw. (SVR4) Patch 119166-20
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1
ohne Patch 119173-12 bzw. (SVR4) Patch 119166-20
* Sun ONE Web Proxy Server 3.6
* Sun Java System Proxy Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
x86 Plattform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
ohne Patch 119170-12 bzw. (SVR4) Patch 119167-20
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1
ohne Patch 119174-12 bzw. (SVR4) Patch 119167-20
* Sun ONE Web Proxy Server 3.6
* Sun Java System Proxy Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
Linux Plattform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
ohne Patch 119171-12 bzw. RHEL2.1/RHEL3.0 (Pkg_patch)119168-20
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1
ohne Patch 119175-12 bzw. RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20
* Sun ONE Web Proxy Server 3.6
* Sun Java System Proxy Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
Windows Plattform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
ohne Patch 119172-12
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1
ohne Patch 119176-12
* Sun ONE Web Proxy Server 3.6
* Sun Java System Proxy Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102696-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT
Sun(sm) Alert Notification
* Sun Alert ID: 102696
* Synopsis: A Security Vulnerability in RSA Signature Verification Affects
Sun Java System Application Server, Proxy Server and Web Server
* Category: Security
* Product: Sun Java System Application Server Standard Edition 7 2004Q2,
Sun Java System Application Server Platform Edition 8.1 2005Q1, Sun Java
System Web Proxy Server 4.0, Sun Java System Web Server 6.1, Sun Java
System Application Server Enterprise Edition 7 2004Q2, Sun Java System
Application Server Enterprise Edition 8.1 2005Q1, Sun ONE Web Server
6.0, Sun Java System Web Proxy Server 3.6
* BugIDs: 6472033, 6473494
* Avoidance: Patch
* State: Workaround
* Date Released: 03-Nov-2006
* Date Closed:
* Date Modified: 08-Nov-2006, 21-Nov-2006
1. Impact
Sun Java System Application Server, Sun Java System Proxy Server and Sun
Java System Web Server are vulnerable to an RSA(1) Signature Verification
vulnerability which may allow remote unprivileged users to construct
certificates with forged signatures that go undetected and are accepted as
valid.
This issue is also described in the following documents:
CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620
CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
without (file-based) patch 119169-12 or (SVR4) patch 119166-20
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 without
(file-based) patch 119173-12 or (SVR4) patch 119166-20
* Sun ONE Web Proxy Server 3.6
* Sun Java System Proxy Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
x86 Platform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 2005
Q1 without (file-based) patch 119170-12 or (SVR4) patch 119167-20
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 without
(file-based) patch 119174-12 or (SVR4) patch 119167-20
* Sun ONE Web Proxy Server 3.6
* Sun Java System Proxy Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
Linux Platform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
without (file-based) patch 119171-12 or RHEL2.1/RHEL3.0 (Pkg_patch)
119168-20
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 without
(file-based) patch 119175-12 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20
* Sun ONE Web Proxy Server 3.6
* Sun Java System Proxy Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
Windows Platform
* Sun ONE Application Server 7
* Sun Java System Application Server 7 2004Q2
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1
without (file-based) patch 119172-12
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 without
(file-based) patch 119176-12
* Sun ONE Web Proxy Server 3.6
* Sun Java System Web Server 4.0
* Sun Java System Web Server 6.0
* Sun Java System Web Server 6.1
To determine the version of Sun Java System Application Server on a system,
the following command can be run:
$ <AS_INSTALL>/bin/asadmin version --verbose
Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129)
(Where <AS_INSTALL> is the installation directory of the Application
Server).
To determine the version of Sun ONE Application Server on a system, the
following command can be run:
$ <WS-install>/https-<host>/start -version
(Where <WS-install> is top installation directory of Web Server and <host>
should be the actual host name on which the Web Server is installed).
To determine the version of Sun Java System Proxy Server on a system, the
following command can be run:
$ <PS_INSTALL>/bin/ns-proxy -v
Sun ONE Web Proxy Server 3.6-SP9 B2006.191.1801 SP9
(Where <PS_INSTALL> is the installation directory of the Proxy Server).
3. Symptoms
There are no predictable symptoms that would indicate the described issue
has occurred.
Solution Summary Top
4. Relief/Workaround
There is no workaround for this issue. Please see the Resolution section
below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 with
(file-based) patch 119169-12 or later or (SVR4) patch 119166-20 or later
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 with
(file-based) patch 119173-12 or later or (SVR4) patch 119166-20 or later
x86 Platform
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 with
(file-based) patch 119170-12 or later or (SVR4) patch 119167-20 or later
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 with
(file-based) patch 119174-12 later or (SVR4) patch 119167-20 or later
Linux Platform
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 with
(file-based) patch 119171-12 or later or RHEL2.1/RHEL3.0 (Pkg_patch)
119168-20 or later
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 with
(file-based) patch 119175-12 or later or RHEL2.1/RHEL3.0 (Pkg_patch)
119168-20 or later
Windows Platform
* Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 with
(file-based) patch 119172-12 or later
* Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 with
(file-based) patch 119176-12 or later
A final resolution is pending completion.
Change History
08-Nov-2006:
* Updated Contributing Factors section
21-Nov-2006:
* Updated Contributing Factors and Resolution sections
This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third
parties. The issues described in this Sun Alert notification may or may not
impact your system(s). Sun makes no representations, warranties, or
guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
proprietary and confidential information. It is being provided to you
pursuant to the provisions of your agreement to purchase services from Sun,
or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
Alert notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
- --
Dipl. Inform. Klaus Moeller (CSIRT), DFN-CERT Services GmbH
https://www.dfn-cert.de/, +49-40-808077-555
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRWQURvBT2+ukQ5RFAQGOFQf/WGPB5vx0jKS76qQOT4iLyUAEnVNTOnVd
gU+CSEyKDSKbhXLTb4KDhn3V+AX5i53UYut2XNITmiKJg/d9Rd7wTee9ojXXi9B+
axNdbDlknyB10xd8tStozHvhQ6zDZdhoth20S35VPLloPfHqcVaAzvmVQCVZs5RA
hMiOJ2s6RyZJUE4Og4UyYYeuJto6wwyc8eqI9potE1bZdO2zy1EuUhhsT+ZOjBYc
9uHdSl9hLm+I2V8Y9FV2K/PRsDk140cZdX1jGx09TGgxo//TUiwTyoWOi7kvamgK
/RkGclIukYbrFVikSQmMK/UgXaw9hdJEUinVGvFIfoOscr+P9Qtqbw==
=8jX+
-----END PGP SIGNATURE-----