Java Enterprise System and Solaris - Security Vulnerability Issue of Forged RSA Signatures

A vulnerability in the Sun Java Enterprise System (JES) may allow remote unprivileged users to construct certificates with forged signatures that go undetected and are accepted as valid signatures.

Sun(sm) Alert Notification
     * Sun Alert ID: 102656
     * Synopsis: Security Vulnerability Issue of Forged RSA Signatures
       for Java Enterprise System and Solaris
     * Category: Security
     * Product: Solaris 9 Operating System, Solaris 10 Operating System,
       Sun Java Enterprise System 2003Q4, Sun Java Enterprise System
       2005Q1, Solaris 8 Operating System, Sun Java Enterprise System
       2005Q4, Sun Java Enterprise System 2004Q2
     * BugIDs: 6468495
     * Avoidance: Patch
     * State: Workaround
     * Date Released: 25-Oct-2006
     * Date Closed:
     * Date Modified:

1. Impact

   A vulnerability in the Sun Java Enterprise System (JES) may allow
   remote unprivileged users to construct certificates with forged
   signatures that go undetected and are accepted as valid signatures.
   These unprivileged users may be able to operate servers that falsely
   pose as other servers or generate forged signatures on emails and
   software downloads without detection.

   This issue is also described in the following documents:

   CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620

   CVE-2006-4339 at
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

   Note: The issue described in this Sun Alert is specific to Sun Java
   Enterprise System (JES). Multiple Sun products are affected by this
   issue; for more details please see Sun Alert 102648 at
   http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1

2. Contributing Factors

   This issue can occur in the following releases:

   SPARC Platform
     * Sun Java Enterprise System 2003Q4 (for Solaris 8)
     * Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris
       8) without patch 119209-10
     * Sun Java Enterprise System 2003Q4 (for Solaris 9)
     * Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris
       9) without patch 119211-10
     * Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10)
       without patch 119213-10
     * Solaris 9
     * Solaris 10 without patch 119213-10

   x86 Platform
     * Sun Java Enterprise System 2003Q4 (for Solaris 9)
     * Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris
       9) without patch 119212-10
     * Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10)
       without patch 119214-10
     * Solaris 9
     * Solaris 10 without patch 119214-10

   Linux Platform
     * Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for
       Linux) without patch 121656-10

   HP-UX Platform
     * Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) without
       patch 124379-01

   Notes:
    1. Sun Java Enterprise System is not available for Solaris 8 on the
       x86 platform.
    2. This vulnerability affects all NSS-based SSL clients and S/MIME
       email programs which use NSS versions below 3.11.3.
    3. This vulnerability also affects products that verify signatures on
       downloaded files.

   Among NSS-based server products, this vulnerability only affects those
   that:

   A) act as SSL clients (including LDAPS clients), or

   B) request and accept certificates from remote SSL clients.

   This vulnerability stems from the code that verifies RSA signatures of
   the kind commonly used on X.509 certificates known as "PKCS#1" version
   1.5 RSA signatures.

   To determine if the NSS packages are installed on a system, the
   following command can be run:
    % pkginfo SUNWtls

   To determine the version of NSS on a system, the following command can
   be run:
    % pkgparam SUNWtls SUNW_PRODVERS

3. Symptoms

   There are no predictable symptoms that would indicate the described
   issue has occurred.

4. Relief/Workaround

   There is no workaround for this issue. Please see the Resolution
   section below.

5. Resolution

   This issue is addressed in the following releases:

   SPARC Platform
     * Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris
       8) with patch 119209-10 or later
     * Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris
       9) with patch 119211-10 or later
     * Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with
       patch 119213-10 or later
     * Solaris 10 with patch 119213-10 or later

   x86 Platform
     * Sun Java Enterprise System 2004Q2, 2005Q1 and 2005Q4 (for Solaris
       9) with patch 119212-10 or later
     * Sun Java Enterprise System 2005Q1 and 2005Q4 (for Solaris 10) with
       patch 119214-10 or later
     * Solaris 10 with patch 119214-10 or later

   Linux Platform
     * Sun Java Enterprise System 2003Q4, 2004Q2, 2005Q1 and 2005Q4 (for
       Linux) with patch 121656-10 or later

   HP-UX Platform
     * Sun Java Enterprise System 2005Q1 and 2005Q4 (for HP-UX) with
       patch 124379-01 or later

   A final resolution is pending completion.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved
Telegram Подписывайтесь на канал "SecurityLab" в Telegram, чтобы первыми узнавать о новостях и эксклюзивных материалах по информационной безопасности.