Security Vulnerabilities in the Network Security Services (NSS) May Affect SSL Clients and SSL Servers |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Sun Java Enterprise System 5
Solaris 9 Operating System
Solaris 10 Operating System
Sun Java Enterprise System 2003Q4
Sun Java Enterprise System 2005Q1
Sun Java Enterprise System 2005Q4
Sun Java Enterprise System 2004Q2
|
| Bug Id : | 6507762
|
| Date of Resolved Release : | 29-MAR-2007
|
Security vulnerabilities in the Network Security Services (NSS) implementation of SSL2 may affect both SSL clients (such as browsers) and SSL servers which make use of this library. As a result, the client or server may exit unexpectedly, which is a type of Denial of Service (DoS). For servers running on Microsoft Windows, they may present a remote code execution vulnerability.
These vulnerabilities are in NSS's implementation of SSL2, not in the SSL2 protocol itself.
Note: NSS is a set of libraries that implement SSL2, SSL 3.0 and TLS (SSL 3.1). NSS is widely used. It is used in the Mozilla family of browsers offered by Sun to Solaris users. It is also used in the "Java Enterprise Server" (JES) family of server products, including Web server, Directory Server, Messaging Server, Application Server, Portal Server, and others. It is used for the built-in LDAPS client in Solaris 9 and 10 which may be used as part of the Solaris login program.
This issue is also described in the following documents:
Contributing Factors
These issues can occur in the following releases:
SPARC Platform
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 8 without patch 119209-12
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 9 without patch 119211-12
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 10 without patch 119213-12
- Sun Java Enterprise System 5 without patch 125358-01
- Solaris 9 without patch 119211-12
- Solaris 10 without patch 119213-12
x86 Platform
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 9 without patch 119212-12
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 10 without patch 119214-12
- Sun Java Enterprise System 5 without patch 125359-01
- Solaris 9 without patch 119212-12
- Solaris 10 without patch 119214-12
Linux Platform
- Sun Java Enterprise System 2004Q2, 2005Q1, 2005Q4 and Sun Java Enterprise System 5 without patch 121656-12
HP-UX Platform
- Sun Java Enterprise System 2005Q1, 2005Q4 and Sun Java Enterprise System 5 without patch 124379-03
Windows Platform
- Sun Java Enterprise System 2005Q1
- Sun Java Enterprise System 2005Q4 without patch 124392-04
- Sun Java Enterprise System 5 without patch 125923-01
Note 1: Sun Java Enterprise System is not supported on Solaris 8 x86.
Note 2: SSL2 is the oldest of the SSL/TLS family of security protocols, and it is now widely regarded as comparatively weak and obsolete. It is therefore recommended that sites move away from SSL2 to SSL 3.0 or TLS.
To determine if the NSS packages are installed on a system, the following command can be run:
% pkginfo SUNWtls
To determine the version of NSS on a system, the following command can be run:
% pkgparam SUNWtls SUNW_PRODVERS
Systems affected by this issue have NSS version of 3.11.4 or earlier.
Symptoms
There are no reliable symptoms that would indicate the described issues have been exploited.
Workaround
To work around the described issue, disable SSL2 in the products that use NSS. Disabling SSL2 will force NSS to use SSL 3.0 and/or SSL 3.1 (TLS).
The exact procedures to disable SSL2 varies from product to product. Browsers have panels of "preferences" in which SSL2 can be disabled. Servers have various administration tools including command line tools, GUI tools, and separate administration servers (web servers) that are accessed through a browser.
Note 1: FireFox 2.0 already has SSL2 disabled by default.
Note 2: Due to the weak security status of SSL2, customers are advised to disable SSL2 and leave it disabled, even when a fix for this vulnerability is available from Sun.
Resolution
These issues are addressed in the following releases:
SPARC Platform
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 8 with patch 119209-12 or later
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 9 with patch 119211-12 or later
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 10 with patch 119213-12 or later
- Sun Java Enterprise System 5 with patch 125358-01 or later
- Solaris 9 with patch 119211-12 or later
- Solaris 10 with patch 119213-12 or later
x86 Platform
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 9 with patch 119212-12 or later
- Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 for Solaris 10 with patch 119214-12 or later
- Sun Java Enterprise System 5 with patch 125359-01 or later
- Solaris 9 with patch 119212-12 or later
- Solaris 10 with patch 119214-12 or later
Linux Platform
- Sun Java Enterprise System 2004Q2, 2005Q1, 2005Q4 and Sun Java Enterprise System 5 with patch 121656-12 or later
HP-UX Platform
- Sun Java Enterprise System 2005Q1, 2005Q4 and Sun Java Enterprise System 5 with patch 124379-03 or later
Windows Platform
- Sun Java Enterprise System 2005Q4 with patch 124392-04 or later
- Sun Java Enterprise System 5 with patch 125923-01 or later
Sun Java Enterprise System 2005Q1 systems should either apply the workaround described in section 4: "Relief/Workaround" or upgrade to Sun Java Enterprise System 5 and apply patch 125923-01.
Modification HistoryDate: 13-JUL-2007
- Updated Contributing Factors and Resolution sections
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
