[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 548/05 - Macromedia - JRun 4.0 Token Collision



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - **/05 dated **.07.05  Time: **:**  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Macromedia - JRun 4.0 Token Collision

Detail
====== 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
MPSB05-05 - Security Patch available for JRun 4.0 token 
collision.  

Originally posted: July 14, 2005 

http://www.macromedia.com/go/mpsb05-05  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
Summary: 

Under high load, JRun may generate two sessions with the 
same authentication token. This cannot be controlled by 
an attacker and it occurs very rarely, but it may cause 
two authenticated users to share information from a single 
user session.

~~~~~~~ 

Solution: 

Macromedia has released a JRun 4.0 patch that can be 
downloaded and applied. This only affects products based 
on the JRun 4 server (listed below). 

Download JRun 4.0 patch (ZIP, 9 KB): 
http://www.macromedia.com/go/mpsb05-05 

~~~~~~~ 

Affected Software Versions: 

ColdFusion MX 7.0 Enterprise Multi-Server Edition 
ColdFusion MX 6.1 Enterprise with JRun 
JRun 4.0 

~~~~~~~ 

Severity Rating: 

Macromedia categorizes this issue as a moderate issue 
and recommends users immediately evaluate their 
configuration. 

~~~~~~~ 

Details: 

When a user is authenticated, JRun generates an internal 
authentication token to track a user's information 
(principal, credentials, etc.). Under load, it's possible 
two users can obtain the same token number and shared 
session information. Macromedia has received a report of 
this occurring in a production system, but it happens very 
infrequently, and there is no way for an attacker to cause 
or control a collision.

The patch modifies the authentication token generation 
algorithm to prevent generation of duplicate tokens.

~~~~~~~ 

Making the Changes: 
 
NOTE: Back up your existing files before making changes. 
As always, test the changes in a non-production environment 
before applying the changes to production servers.

JRun 4.0 or ColdFusion MX 7.0 Multi-Server Edition: 
1. Download the patch above and expand it. 
2. Stop all JRun servers. 
3. Place the jrun-hotfix-MPSB05-05.jar in the 
   {jrun_root}/servers/lib directory. 
4. Restart JRun. 

ColdFusion MX 7.0 Enterprise or ColdFusion MX 6.1 Enterprise 
Edition (For ColdFusion 6.1, Updater 1 is required): 
1. Download the patch above, and expand it. 
2. Stop ColdFusion MX. 
3. Place the jrun-hotfix-MPSB05-05.jar in the 
   {cf_root}/runtime/servers/lib directory. 
4. (Create the {cf_root}/runtime/servers/lib directory if 
   it does not exist.)  

On Unix Systems Only:
1. Edit the file {cf_root}/runtime/bin/jvm.config. 
2. Find the JVM classpath section. 
3. Add {application.home}/runtime/servers/lib as the first 
   entry in the java.class.path list.  

Example: JVM classpath 

java.class.path={application.home}/runtime/servers/lib, 
{application.home}/runtime/../../src,{application.home}/lib/ 
cfusion.jar,{application.home}/runtime/lib/webservices.jar

4. Start ColdFusion MX 

NOTE: This patch will be incorporated into ColdFusion MX 7.0 
Updater 1 and JRun 4.0 Updater 6.

~~~~~~~ 

Acknowledgements: 

Macromedia would like to thank Greg Ball from the University 
of Virginia for reporting this vulnerability and for working 
with us to help protect our customers' security. 

~~~~~~~ 

Revisions: 

July 14, 2005 - Bulletin first created.

~~~~~~~ 

Reporting Security Issues: 

Macromedia is committed to addressing security issues 
and providing customers with the information on how they 
can protect themselves. If you identify what you believe 
may be a security issue with a Macromedia product, please 
send an e-mail to secure@xxxxxxxxxxxxxxx We will work to 
appropriately address and communicate the issue.

~~~~~~~ 

Receiving Security Bulletins: 

When Macromedia becomes aware of a security issue 
that we believe significantly affects our products or 
customers, we will notify customers when appropriate. 
Typically this notification will be in the form of a 
security bulletin explaining the issue and the response. 
Macromedia customers who would like to receive 
notification of new security bulletins when they are 
released can sign up for our security notification 
service.

For additional information on security issues at 
Macromedia, please visit: 
http://www.macromedia.com/security.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS 
OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. 
MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, 
WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF 
NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT. (USA ONLY) 
SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED 
WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. 

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE 
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT 
LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, 
SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS 
INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, 
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF 
CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), 
PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. 
OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO 
THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU 
AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM 
STATE TO STATE.

Macromedia reserves the right, from time to time, to 
update the information in this document with current 
information.



- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Macromedia for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQte/jopao72zK539AQHr6gP+LApBtd6Ud2FWOCq9fSgmKqXY6pPx/w9U
cwBGjlLiePR8xyd2BQ/Si6QITOoxCaSCOfniEXrozGDL69L9yLgqC7hVJpueGpkx
XEifn1zHNaC/DJEprhV5obOg//AhdqxKrVTY7PEKkkaHpYEuby+wDflqTo0wcWaJ
N//JmUVTn0o=
=qhAE
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________