Security Vulnerability Issue of Forged RSA Signatures for Java Enterprise System and Solaris |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 9 Operating System
Solaris 10 Operating System
Sun Java Enterprise System 2003Q4
Sun Java Enterprise System 2005Q1
Solaris 8 Operating System
Sun Java Enterprise System 2005Q4
Sun Java Enterprise System 2004Q2
|
| Bug Id : | 6468495
|
| Date of Workaround Release : | 25-OCT-2006
|
| Date of Resolved Release : | 09-NOV-2006
|
A vulnerability in the Sun Java Enterprise System (JES) may allow remote unprivileged users to construct certificates with forged signatures that go undetected and are accepted as valid signatures. These unprivileged users may be able to operate servers that falsely pose as other servers or generate forged signatures on emails and software downloads without detection.
This issue is also described in the following documents:
CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620
CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
Note: The issue described in this Sun Alert is specific to Sun Java Enterprise System (JES). Multiple Sun products are affected by this issue; for more details please see Sun Alert 102648 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun Java Enterprise System 2003Q4 (for Solaris 8) without patch 114045-14
- Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 8) without patch 119209-10
- Sun Java Enterprise System 2003Q4 (for Solaris 9) without patch 114049-14
- Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) without patch 119211-10
- Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) without patch 119213-10
- Solaris 9 without patch 114049-14
- Solaris 10 without patch 119213-10
x86 Platform
- Sun Java Enterprise System 2003Q4 (for Solaris 9) without patch 114050-14
- Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) without patch 119212-10
- Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) without patch 119214-10
- Solaris 9 without patch 114050-14
- Solaris 10 without patch 119214-10
Linux Platform
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for Linux) without patch 121656-10
HP-UX Platform
- Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) without patch 124379-01
Notes:
- Sun Java Enterprise System is not available for Solaris 8 on the x86 platform.
- This vulnerability affects all NSS-based SSL clients and S/MIME email programs which use NSS versions below 3.11.3.
- This vulnerability also affects products that verify signatures on downloaded files.
Among NSS-based server products, this vulnerability only affects those that:
A) act as SSL clients (including LDAPS clients), or
B) request and accept certificates from remote SSL clients.
This vulnerability stems from the code that verifies RSA signatures of the kind commonly used on X.509 certificates known as "PKCS#1" version 1.5 RSA signatures.
To determine if the NSS packages are installed on a system, the following command can be run:
% pkginfo SUNWtls
To determine the version of NSS on a system, the following command can be run:
% pkgparam SUNWtls SUNW_PRODVERS
Symptoms
There are no predictable symptoms that would indicate the described issue has occurred.
Workaround
There is no workaround for this issue. Please see the Resolution section below.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun Java Enterprise System 2003Q4 (for Solaris 8) with patch 114045-14 or later
- Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 8) with patch 119209-10 or later
- Sun Java Enterprise System 2003Q4 (for Solaris 9) with patch 114049-14 or later
- Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) with patch 119211-10 or later
- Solaris 9 with patch 114049-14 or later
- Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with patch 119213-10 or later
- Solaris 10 with patch 119213-10 or later
x86 Platform
- Sun Java Enterprise System 2003Q4 (for Solaris 9) with patch 114050-14 or later
- Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris 9) with patch 119212-10 or later
- Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with patch 119214-10 or later
- Solaris 9 with patch 114050-14 or later
- Solaris 10 with patch 119214-10 or later
Linux Platform
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for Linux) with patch 121656-10 or later
HP-UX Platform
- Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) with patch 124379-01 or later
A final resolution is pending completion.
Modification HistoryDate: 08-NOV-2006
08-Nov-2006:
- Updated Contributing Factors and Resolution sections
Date: 09-NOV-2006
09-Nov-2006:
- Updated Contributing Factors and Resolution sections
- State: Resolved
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
