SecurityTracker.com Archives - Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Java Runtime Environment (JRE)

Vendors: Sun

Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities

SecurityTracker Alert ID: 1006001

SecurityTracker URL: http://securitytracker.com/id?1006001

CVE Reference: CVE-2003-1229 (Links to External Site)

Updated: Jun 24 2008

Original Entry Date: Jan 28 2003

Impact: Host/resource access via network, User access via local system, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): JSSE 1.0.3 or earlier; also JSSE in SDK and JRE 1.4.0_01

Description: A certificate validation vulnerability was reported in Sun's Java Secure Socket Extension (JSSE). The Java Plug-In and Java Web Start are also affected. The software may incorrectly authenticate web sites or JAR files that are not valid.

Sun reported that the JSSE may incorrectly validate the digital certificate of a web site when it should not have been validated. As a result, a malicious web site may be authenticated for SSL transactions.

According to Sun, if an SSLContext was initialized using the SSLContext.init() function with an independent instance of an X509TrustManager implementation, the software will incorrectly call the isClientTrusted() method to determine trust.

It is also reported that the Java Plug-in and Java Web Start may incorrectly validate digital certificates of signed JAR files. As a result, malicious code could be authenticated as being trusted. [Editor's note: Separate Alerts will be issued describing the fix for those products.]

Impact: An entity may be authenticated when the entity does not have valid authentication credentials.

Solution: Sun has released the following fixed versions:

JSSE in SDK and JRE 1.4.0_02 or later 1.4.0 releases
JSSE 1.0.3_01

Because the Sun Java Plug-in and Java Web Start are also affected, fixes to those products are also available:

Java Plug-in in SDK and JRE 1.4.1_01 or later 1.4.1 releases
Java Plug-in in SDK and JRE 1.4.0_03 or later 1.4.0 releases
Java Plug-in in SDK and JRE 1.3.1_06 or later 1.3.1 releases
Java Web Start in SDK and JRE 1.4.1_01 or later 1.4.1 releases

JSSE 1.0.3_01 is available at:

http://java.sun.com/products/jsse/index-103.html

SDK and JRE releases are available at:

http://java.sun.com/j2se/

Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081 (Links to External Site)

Cause: Authentication error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Jan 29 2003	(HP Issues Fix) Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities (support_feedback@us-support2-mail.external.hp.com (IT Resource Center )) HP has released a fix.
Aug 13 2003	(HP Issues Fix for Virtualvault) Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities (support_feedback@us-support2-mail.external.hp.com (IT Resource Center )) The vendor has added a fix for Virtualvault.

Source Message Contents

Date: Tue, 28 Jan 2003 17:37:58 -0500
Subject: Sun JSSE, Java Plug-in, and Java Web Start bugs

 

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081

Sun issued an alert (50081) warning of a certificate validation flaw in Java Secure Socket Extension
(JSSE), Java Plug-In, and Java Web Start.

According to the report, the JSSE may incorrectly validate the digital certificate of a web site
when it should not have been validated.  As a result, a malicious web site may be authenticated for
SSL transactions. 

It is also reported that the Java Plug-in and Java Web Start may incorrectly validate digital
certificates of signed JAR files.  As a result, malicious code could be authenticated as being
trusted.

Sun reports that the following releases are affected:

JSSE in SDK and JRE 1.4.0_01 or earlier 1.4.0 releases 
JSSE 1.0.3 or earlier 
Java Plug-in in SDK and JRE 1.4.1 
Java Plug-in in SDK and JRE 1.4.0_02 or earlier 1.4.0 releases 
Java Plug-in in SDK and JRE 1.3.1_05 or earlier 1.3.1 releases 
Java Plug-in in SDK and JRE 1.3.0_05 or earlier 1.3.0 releases 
Java Web Start 1.2 
Java Web Start 1.0.1_02 or earlier 1.0.1 releases 
Java Web Start 1.0 

Sun has released the following fixed versions:

JSSE in SDK and JRE 1.4.0_02 or later 1.4.0 releases 
JSSE 1.0.3_01 
Java Plug-in in SDK and JRE 1.4.1_01 or later 1.4.1 releases 
Java Plug-in in SDK and JRE 1.4.0_03 or later 1.4.0 releases 
Java Plug-in in SDK and JRE 1.3.1_06 or later 1.3.1 releases 
Java Web Start in SDK and JRE 1.4.1_01 or later 1.4.1 releases 
Note: 

JSSE 1.0.3_01 is available at:

http://java.sun.com/products/jsse/index-103.html

SDK and JRE releases are available at:

http://java.sun.com/j2se/ 

-----

Sun Alert ID: 50081 
Synopsis: Incorrect Certificate Validation in Java Secure Socket Extension (JSSE), Java Plug-In and
Java Web Start 
Category: Security 
Product: Java JRE/SDK, Java Web Start 
BugIDs: 4730667, 4732385, 4735737, 4735750 
Avoidance: Upgrade 
State: Resolved 
Date Released: 23-Jan-2003 
Date Closed: 23-Jan-2003 
Date Modified:

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC