===================================================================== CERT-Renater Note d'Information No. 2010/VULN021 _____________________________________________________________________ DATE : 11/01/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Sun Java System Web Server, Sun Java System Web Proxy Server, Sun Java System Application Server, Sun GlassFish Enterprise Server. ====================================================================== http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-274990-1 ______________________________________________________________________ Category : Security Release Phase : Workaround Bug Id : 6899619, 6898371 Product : Sun Java System Web Server 6.1 Sun Java System Web Server 7.0 Sun Java System Web Proxy Server 4.0 Sun Java System Application Server Enterprise Edition Sun GlassFish Enterprise Server v2.1 Date of Workaround Release : 07-Jan-2010 Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java E nterprise System Suite 1. Impact A security vulnerability in the in Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of session renegotiations affects Network Security Services (NSS) libraries bundled with the following products: - - Sun Java System Web Server - - Sun Java System Web Proxy Server - - Sun Java System Application Server - - Sun GlassFish Enterprise Server Systems running these server applications are susceptible to a man-in-the-middle attack whereby a remote unauthenticated user with the ability to intercept and control network traffic may send unauthenticated request at the beginning of an HTTPS session that is processed retroactively by the server. The vulnerability does not allow one to decrypt the HTTPS responses or requests in the session. This issue is referenced in the following document: CVE-2009-3555 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 Sun acknowledges with thanks, Marsh Ray and Steve Dispensa of PhoneFactor for bringing this issue to our attention. Please also see Sun Alert 273350 that describes this issue in NSS libraries provided with Solaris and Sun Java System Enterprise System 5. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Sun Java System Web Server 6.1 * Sun Java System Web Server 7.0 * Sun Java System Web Proxy Server 4.0 through 4.0.12 * Sun Java System Application Server 8.0 (Enterprise Edition) * Sun Java System Application Server 8.1 (Enterprise Edition SVR4) * Sun Java System Application Server 8.1 (Enterprise Edition file based) * Sun Java System Application Server 8.2 (Enterprise Edition SVR4) * Sun Java System Application Server 8.2 (Enterprise Edition file based) * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based without patch 128640-15 (for customers with valid support contract) * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128643-15 (for customers with valid support contract) or 141700-03 (for customers without valid support contract) x86 Platform * Sun Java System Web Server 6.1 * Sun Java System Web Server 7.0 * Sun Java System Web Proxy Server 4.0 through 4.0.12 * Sun Java System Application Server 8.0 (Enterprise Edition) * Sun Java System Application Server 8.1 (Enterprise Edition SVR4) * Sun Java System Application Server 8.1 (Enterprise Edition file based) * Sun Java System Application Server 8.2 (Enterprise Edition SVR4) * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based without patch 128641-15 (for customers with valid support contract) * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128644-15 (for customers with valid support contract) or 141701-03 (for customers without valid support contract) Linux * Sun Java System Web Server 6.1 * Sun Java System Web Server 7.0 * Sun Java System Web Proxy Server 4.0 through 4.0.12 * Sun Java System Application Server 8.0 (Enterprise Edition) * Sun Java System Application Server 8.1 (Enterprise Edition Package Based) * Sun Java System Application Server 8.1 (Enterprise Edition file based) * Sun Java System Application Server 8.2 (Enterprise Edition Package Based) * Sun Java System Application Server 8.2 (Enterprise Edition file based) * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based without patch 128642-15 (for customers with valid support contract) * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128645-15 (for customers with valid support contract) or 141702-03 (for customers without valid support contract) HP-UX * Sun Java System Web Server 6.1 * Sun Java System Web Server 7.0 * Sun Java System Web Proxy Server 4.0 through 4.0.12 Windows * Sun Java System Web Server 6.1 * Sun Java System Web Server 7.0 * Sun Java System Web Proxy Server 4.0 through 4.0.12 * Sun Java System Application Server 8.0 (Enterprise Edition) * Sun Java System Application Server 8.1 (Enterprise Edition Package based) * Sun Java System Application Server 8.1 (Enterprise Edition file based) * Sun Java System Application Server 8.2 (Enterprise Edition Package based) * Sun Java System Application Server 8.2 (Enterprise Edition file based) * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch 128646-15 (for customers with valid support contract) or 141703-03 (for customers without valid support contract) Notes: 1. Sun GlassFish Enterprise Server v2.1.1 was formerly referred to as Sun GlassFish Enterprise Server v2.1 patch 6 also known as Sun Java System Application Server 9.1 patch 12. 2. Sun Java System Application Server (Platform Edition) and Sun GlassFish Enterprise Server without HADB are not impacted by this issue. To determine the version of Sun Java System Web Proxy Sever on a system, the following command can be run: $ /bin/proxy/bin/proxyd -v Sun Microsystems, Inc. Sun Java System Web Proxy Server 4.0.6 B05/12/2007 13:24 (Where is the installation directory of the Proxy Server). To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run: $ /https-/start -version (Where is the installation directory of the Web Server and should be the actual host name on which the Web Server is installed). To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run: $ /bin/wadm --version (Where is the installation directory of the Web Server). To determine the version of Sun GlassFish Enterprise Server or Application Server on a system, the following command can be run: $ /bin/asadmin version (Where is the installation directory of the Application Server). 3. Symptoms There are no predictable symptoms that would indicate this issue has been exploited. 4. Workaround To workaround the issue in Sun Java System Web Server, a client certificate can be obtained during the initial connection handshake. This mode can be configured by setting the client-auth element to 'required' in server.xml, as in the following example: required There is no workaround for this issue for the other server products. Please see the 'Resolution' section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Sun Java System Web Server 7.0 update 7 or later * Sun Java System Web Proxy Server Server 4.0.13 or later * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128640-15 or later (for customers with valid support contract) * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128643-15 or later (for customers with valid support contract) or 141700-03 or later (for customers without valid support contract) x86 Platform * Sun Java System Web Server 7.0 update 7 or later * Sun Java System Web Proxy Server 4.0.13 or later * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128641-15 or later (for customers with valid support contract) * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128644-15 or later (for customers with valid support contract) or 141701-03 or later (for customers without valid support contract) Linux * Sun Java System Web Server 7.0 update 7 or later * Sun Java System Web Proxy Server 4.0.13 or later * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128642-15 or later (for customers with valid support contract) * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128645-15 or later (for customers with valid support contract) or 141702-03 or later (for customers without valid support contract) HP-UX * Sun Java System Web Server 7.0 update 7 or later * Sun Java System Web Proxy Server 4.0.13 or later Windows * Sun Java System Web Server 7.0 update 7 or later * Sun Java System Web Proxy Server 4.0.13 or later * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128646-15 or later (for customers with valid support contract) or 141703-03 or later (for customers without valid support contract) A final resolution is pending completion. IMPORTANT: The above patches disable TLS session renegotiations. It is advisable to test these patches with applications that use NSS libraries before deploying them for wider use. Notes: 1. Systems with Sun Java System Application Server 8.0 should be upgraded to a later version and apply the resolution patches mentioned above. 2. If an application depends on renegotiation feature, it can be enabled by setting the environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental variable, the fix provided by these patches will have no effect and the application may become vulnerable to the issue. For more information on Security Sun Alerts, see Technical Instruction ID 213557. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================