SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Java Runtime Environment (JRE) Vendors:   Sun
(Sun Issues Fix for JRE/JSEE) OpenSSL RSA Signatures Can Be Forged
SecurityTracker Alert ID:  1017237
SecurityTracker URL:  http://securitytracker.com/id/1017237
CVE Reference:   CVE-2006-4339   (Links to External Site)
Date:  Nov 16 2006
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user may be able to forge certain digital signatures. Sun JRE/JSEE is affected.

If an RSA key with exponent 3 is used, a remote user may be able to forge a PKCS #1 v1.5 signature for that key.

Software that uses PKCS #1 v1.5 may be affected. Software that uses OpenSSL to verify X.509 certificates may also be affected.

Daniel Bleichenbacher reported the type of attack that is possible against PKCS #1 v1.5 signatures.
Impact:   A remote user may be able to forge signatures (and certificates).
Solution:   Sun has issued the following fixes for JRE/JSEE, which is affected by this OpenSSL vulnerability.

* JDK and JRE 5.0 Update 9 or later
* SDK and JRE 1.4.2_13 or later
* JSSE 1.0.3_04 or later

This issue will be addressed in SDK and JRE 1.3.1_20.

J2SE 1.4.2 is available for download at:

* http://java.sun.com/j2se/1.4.2/download.html

J2SE 5.0 is available for download at the following links:

* http://java.sun.com/j2se/1.5.0/download.jsp
* http://java.com

J2SE 5.0 Update 9 for Solaris is available in the following patches:

* J2SE 5.0: update 9 (as delivered in patch 118666-09)
* J2SE 5.0: update 9 (as delivered in patch 118667-09 (64bit))
* J2SE 5.0_x86: update 9 (as delivered in patch 118668-09)
* J2SE 5.0_x86: update 9 (as delivered in patch 118669-09 (64bit))

JSSE 1.0.3_04 is available at:

* http://java.sun.com/products/jsse/index-103.html

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102686-1
Vendor URL:  www.openssl.org/news/secadv_20060905.txt (Links to External Site)
Cause:   Authentication error
Underlying OS:   Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 5 2006 OpenSSL RSA Signatures Can Be Forged


 Source Message Contents
Date:  Wed, 15 Nov 2006 23:03:33 -0500
Subject:  Security Vulnerability in RSA Signature Verification Affects Java 2 Platform, Standard Edition



http://sunsolve.sun.com/search/document.do?assetkey=1-26-102686-1

CVE-2006-4339


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC