=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN262
_____________________________________________________________________

DATE                      : 13/06/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris systems running NSS.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102945
      * Synopsis: Security Vulnerabilities in the Network Security
        Services (NSS) Library May Affect Sun Java System Application
        Server, Web Server and Web Proxy Server
      * Category: Security
      * Product: Sun Java System Application Server Platform Edition 8.1
        2005Q1, Sun Java System Web Server 7.0, Sun Java System Web Proxy
        Server 4.0, Sun Java System Web Server 6.1, Sun Java System
        Application Server Enterprise Edition 8.1 2005Q1
      * BugIDs: 6546271, 6534224, 6540248
      * Avoidance: Patch, Upgrade
      * State: Workaround
      * Date Released: 11-Jun-2007
      * Date Closed:
      * Date Modified:

1. Impact

    Sun Java System Application Server, Web Server and Proxy Server make
    use of the Network Security Services (NSS) library and are impacted by
    a number of security vulnerabilities related to the SSL2
    implementation in that library if SSL2 is enabled in these servers.
    These vulnerabilities may allow remote users to cause the server to
    exit unexpectedly, causing a denial of service (DoS) to the
    application, or to execute arbitrary code.

    These issues are also described in the following documents:
      * CVE-2007-0008 at:
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008
      * CVE-2007-0009 at:
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009
      * CERT VU#377812 at: http://www.kb.cert.org/vuls/id/377812
      * CERT VU#592796 at: http://www.kb.cert.org/vuls/id/592796

    Other Sun products make use of the NSS library. For information
    regarding the impact to other products, please see Sun Alert 102856
    at:
      * http://sunsolve.sun.com/search/document.do?assetkey=1-26-102856
        -1

2. Contributing Factors

    These issues can occur in the following releases:

    SPARC Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119169-16 or (SVR4) patch
        119166-24
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file-based) patch 119173-16 or (SVR4) patch
        119166-24
      * Sun Java System Web Server 6.1
      * Sun Java System Web Server 7.0
      * Sun Java System Web Proxy Server 4.0 without Service Pack 5

    x86 Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119170-16 or (SVR4) patch
        119167-24
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file-based) patch 119174-16 or (SVR4) patch
        119167-24
      * Sun Java System Web Server 6.1
      * Sun Java System Web Server 7.0
      * Sun Java System Web Proxy Server 4.0 without Service Pack 5

    Linux Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119171-16 or RHEL2.1/RHEL3.0
        (Pkg_patch) 119168-24
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file-based) patch 119175-16 or RHEL2.1/RHEL3.0
        (Pkg_patch) 119168-24
      * Sun Java System Web Server 6.1
      * Sun Java System Web Server 7.0
      * Sun Java System Web Proxy Server 4.0 without Service Pack 5

    AIX Platform
      * Sun Java System Web Server 6.1

    HP-UX Platform
      * Sun Java System Web Server 6.1
      * Sun Java System Web Server 7.0
      * Sun Java System Web Proxy Server 4.0 without Service Pack 5

    Windows Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        without (file-based) patch 119172-16 or (package based patch)
        122848-09
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        without (file-based) patch 119176-16
      * Sun Java System Web Server 6.1
      * Sun Java System Web Server 7.0
      * Sun Java System Web Proxy Server 4.0 without Service Pack 5

    To determine the version of Sun Java System Application Server on a
    system, the following command can be run:
     $ <AS_INSTALL>/bin/asadmin version --verbose
     (Where <AS_INSTALL> is the installation directory of the Application Server
)

    To determine the version of Sun Java System Web Server on a system,
    the following command can be run:
     $ <WS-install>/https-<host>/start -version
     (Where <WS-install> is the installation directory of the Web Server and <ho
st> should be the actual host name on which the Web Server is installed)

    To determine the version of Sun Java System Web Proxy Server on a
    system, the following command can be run:
     $ <PS_INSTALL>/bin/ns-proxy -v
     (Where <PS_INSTALL> is the installation directory of the Web Proxy Server)

    Note: SSL v2 is disabled by default in the Sun Java System Application
    Server, Sun Java System Web Server, and Sun Java System Web Proxy
    Server.

3. Symptoms

    There are no reliable symptoms that would indicate the described
    issues have been exploited.

4. Relief/Workaround

    In order to work around these issues in products which use the NSS
    library, SSL v2 can be disabled. For example if SSL v2 has been
    enabled in the Sun Java System Application Server, Sun Java System Web
    Server, or Sun Java System Web Proxy Server then it can be disabled
    until patches can be applied.

    The exact procedure to disable SSL v2 for each of these Sun Java
    System products varies. See the respective product documentation at
    http://docs.sun.com for further details.

5. Resolution

    These issues are addressed in the following releases:

    SPARC Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119169-16 or later or (SVR4) patch
        119166-24 or later
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file-based) patch 119173-16 or later or (SVR4) patch
        119166-24 or later
      * Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later

    x86 Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119170-16 or later or (SVR4) patch
        119167-24 or later
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file-based) patch 119174-16 or later or (SVR4) patch
        119167-24 or later
      * Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later

    Linux Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119171-16 or later or RHEL2.1/RHEL3.0
        (Pkg_patch) 119168-24 or later
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file-based) patch 119175-16 or later or RHEL2.1/RHEL3.0
        (Pkg_patch) 119168-24 or later
      * Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later

    HP-UX Platform
      * Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later

    Windows Platform
      * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
        with (file-based) patch 119172-16 or later or (package based
        patch) 122848-09 or later
      * Sun Java System Application Server Platform Edition 8.1 2005 Q1
        with (file-based) patch 119176-16 or later
      * Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later

    Sun Java System Web Proxy Server 4.0 Service Pack 5 is available at:
      * http://www.sun.com/download/products.xml?id=4648dc96

    A final resolution is pending completion.

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================