SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Sun
Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities
SecurityTracker Alert ID:  1006001
SecurityTracker URL:  http://securitytracker.com/id/1006001
CVE Reference:   CVE-2003-1229   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Jan 28 2003
Impact:   Host/resource access via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): JSSE 1.0.3 or earlier; also JSSE in SDK and JRE 1.4.0_01
Description:   A certificate validation vulnerability was reported in Sun's Java Secure Socket Extension (JSSE). The Java Plug-In and Java Web Start are also affected. The software may incorrectly authenticate web sites or JAR files that are not valid.

Sun reported that the JSSE may incorrectly validate the digital certificate of a web site when it should not have been validated. As a result, a malicious web site may be authenticated for SSL transactions.

According to Sun, if an SSLContext was initialized using the SSLContext.init() function with an independent instance of an X509TrustManager implementation, the software will incorrectly call the isClientTrusted() method to determine trust.

It is also reported that the Java Plug-in and Java Web Start may incorrectly validate digital certificates of signed JAR files. As a result, malicious code could be authenticated as being trusted. [Editor's note: Separate Alerts will be issued describing the fix for those products.]

Impact:   An entity may be authenticated when the entity does not have valid authentication credentials.
Solution:   Sun has released the following fixed versions:

JSSE in SDK and JRE 1.4.0_02 or later 1.4.0 releases
JSSE 1.0.3_01

Because the Sun Java Plug-in and Java Web Start are also affected, fixes to those products are also available:

Java Plug-in in SDK and JRE 1.4.1_01 or later 1.4.1 releases
Java Plug-in in SDK and JRE 1.4.0_03 or later 1.4.0 releases
Java Plug-in in SDK and JRE 1.3.1_06 or later 1.3.1 releases
Java Web Start in SDK and JRE 1.4.1_01 or later 1.4.1 releases

JSSE 1.0.3_01 is available at:

http://java.sun.com/products/jsse/index-103.html

SDK and JRE releases are available at:

http://java.sun.com/j2se/

Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081 (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(HP Issues Fix) Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities
HP has released a fix.
Aug 13 2003 (HP Issues Fix for Virtualvault) Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities
The vendor has added a fix for Virtualvault.



 Source Message Contents

Subject:  Sun JSSE, Java Plug-in, and Java Web Start bugs


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081

Sun issued an alert (50081) warning of a certificate validation flaw in Java Secure Socket Extension
(JSSE), Java Plug-In, and Java Web Start.

According to the report, the JSSE may incorrectly validate the digital certificate of a web site
when it should not have been validated.  As a result, a malicious web site may be authenticated for
SSL transactions. 

It is also reported that the Java Plug-in and Java Web Start may incorrectly validate digital
certificates of signed JAR files.  As a result, malicious code could be authenticated as being
trusted.

Sun reports that the following releases are affected:

JSSE in SDK and JRE 1.4.0_01 or earlier 1.4.0 releases 
JSSE 1.0.3 or earlier 
Java Plug-in in SDK and JRE 1.4.1 
Java Plug-in in SDK and JRE 1.4.0_02 or earlier 1.4.0 releases 
Java Plug-in in SDK and JRE 1.3.1_05 or earlier 1.3.1 releases 
Java Plug-in in SDK and JRE 1.3.0_05 or earlier 1.3.0 releases 
Java Web Start 1.2 
Java Web Start 1.0.1_02 or earlier 1.0.1 releases 
Java Web Start 1.0 

Sun has released the following fixed versions:

JSSE in SDK and JRE 1.4.0_02 or later 1.4.0 releases 
JSSE 1.0.3_01 
Java Plug-in in SDK and JRE 1.4.1_01 or later 1.4.1 releases 
Java Plug-in in SDK and JRE 1.4.0_03 or later 1.4.0 releases 
Java Plug-in in SDK and JRE 1.3.1_06 or later 1.3.1 releases 
Java Web Start in SDK and JRE 1.4.1_01 or later 1.4.1 releases 
Note: 

JSSE 1.0.3_01 is available at:

http://java.sun.com/products/jsse/index-103.html

SDK and JRE releases are available at:

http://java.sun.com/j2se/ 

-----

Sun Alert ID: 50081 
Synopsis: Incorrect Certificate Validation in Java Secure Socket Extension (JSSE), Java Plug-In and
Java Web Start 
Category: Security 
Product: Java JRE/SDK, Java Web Start 
BugIDs: 4730667, 4732385, 4735737, 4735750 
Avoidance: Upgrade 
State: Resolved 
Date Released: 23-Jan-2003 
Date Closed: 23-Jan-2003 
Date Modified:


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC