Netscape NSS Tools Vulnerability Affects Sun Java Enterprise System and Solaris


Category :Security
Release Phase :Resolved
Product :Solaris 9 Operating System
Solaris 10 Operating System
Sun Java Enterprise System 2003Q4
Sun Java Enterprise System 2005Q1
Sun Java Enterprise System 2004Q2  
Bug Id :6302177  
Date of Resolved Release :14-OCT-2005 


Impact

A security vulnerability exists in the Netscape Network Security Services (NSS) tools "signtool" and "modutil". When either program attempts to "unzip" a maliciously constructed JAR, WAR, XPI or ZIP file, it is possible for code in that zip file to take over the running program and then perform tasks with the privilege of the user running the program.

This issue is described by the United States Computer Emergency Readiness Team at:

This issue is also described in CAN-2005-2096 at:


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 for Solaris 8 without patch 119209-05
  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 for Solaris 9 without patch 119211-05
  • Sun Java Enterprise System 2005Q1 for Solaris 10 without patch 119213-05
  • Solaris 9 without patch 119211-05
  • Solaris 10 without patch 119213-05

x86 Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 for Solaris 9 without patch 119212-05
  • Sun Java Enterprise System 2005Q1 for Solaris 10 without patch 119214-05
  • Solaris 9 without patch 119212-05
  • Solaris 10 without patch 119214-05

Symptoms

There are no visible symptoms that would indicate the described issue has been exploited.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

Sparc Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 for Solaris 8 with patch 119209-05 or later
  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 for Solaris 9 with patch 119211-05 or later
  • Sun Java Enterprise System 2005Q1 for Solaris 10 with patch 119213-05 or later
  • Solaris 9 with patch 119211-05 or later
  • Solaris 10 with patch 119213-05 or later

x86 Platform

  • Sun Java Enterprise System 2003Q4, 2004Q2 and 2005Q1 for Solaris 9 with patch 119212-05 or later
  • Sun Java Enterprise System 2005Q1 for Solaris 10 with patch 119214-05 or later
  • Solaris 9 with patch 119212-05 or later
  • Solaris 10 with patch 119214-05 or later





Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 200481
Article Type : Sun Alert
Last reviewed : 2005-10-14
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
About Oracle | Oracle and Sun | Oracle RSS Feeds | Subscribe | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or its affiliates | SunSolve Version 7.4.2 #1