AusCERT - ESB-2010.0020 - [Win][Linux][HP-UX][Solaris] Sun Microsystems: Provide misleading information

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2010.0020 - [Win][Linux][HP-UX][Solaris] Sun Microsystems: Provide misleading information - Remote/unauthenticated
Date: 11 January 2010
References: ASB-2009.1125.2 ESB-2010.0842.2 ESB-2012.0336

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.0020
          Security Vulnerability in TLS and SSLv3Affects Multiple
          Server Products in the Sun Java Enterprise System Suite
                              11 January 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Sun Java System Web Server 6.1
                   Sun Java System Web Server 7.0
                   Sun Java System Web Proxy Server 4.0
                   Sun Java System Application Server Enterprise Edition
                   Sun GlassFish Enterprise Server v2.1
Publisher:         Sun Microsystems
Operating System:  Solaris
                   Linux variants
                   HP-UX
                   Windows
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-3555  

Reference:         ASB-2009.1125.2

Original Bulletin: 
   http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-274990-1

- --------------------------BEGIN INCLUDED TEXT--------------------

Article ID : 274990
Article Type : Sun Alert
Last reviewed : 2010-01-07
Audience : PUBLIC
Keywords :

Copyright Notice: Copyright © 2009 Sun Microsystems, Inc. All Rights
Reserved

Security Vulnerability in the Transport Layer Security (TLS) and
Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server
Products in the Sun Java Enterprise System Suite
  _________________________________________________________________

Category : Security
Release Phase : Workaround
Bug Id : 6899619, 6898371
Product : Sun Java System Web Server 6.1
Sun Java System Web Server 7.0
Sun Java System Web Proxy Server 4.0
Sun Java System Application Server Enterprise Edition
Sun GlassFish Enterprise Server v2.1
Date of Workaround Release : 07-Jan-2010

Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets
 Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java E
nterprise System Suite


1. Impact
A security vulnerability in the in Transport Layer Security (TLS) and
Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of
session renegotiations affects Network Security Services (NSS)
libraries bundled with the following products:

- - Sun Java System Web Server
- - Sun Java System Web Proxy Server
- - Sun Java System Application Server
- - Sun GlassFish Enterprise Server

Systems running these server applications are susceptible to a
man-in-the-middle attack whereby a remote unauthenticated user with
the ability to intercept and control network traffic may send
unauthenticated request at the beginning of an HTTPS session that is
processed retroactively by the server. The vulnerability does not
allow one to decrypt the HTTPS responses or requests in the session.
This issue is referenced in the following document:

CVE-2009-3555 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

Sun acknowledges with thanks, Marsh Ray and Steve Dispensa of
PhoneFactor for bringing this issue to our attention.
Please also see Sun Alert 273350 that describes this issue in NSS
libraries provided with Solaris and Sun Java System Enterprise System 5.

2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
  * Sun Java System Web Server 6.1
  * Sun Java System Web Server 7.0
  * Sun Java System Web Proxy Server 4.0 through 4.0.12
  * Sun Java System Application Server 8.0 (Enterprise Edition)
  * Sun Java System Application Server 8.1 (Enterprise Edition SVR4)
  * Sun Java System Application Server 8.1 (Enterprise Edition file
    based)
  * Sun Java System Application Server 8.2 (Enterprise Edition SVR4)
  * Sun Java System Application Server 8.2 (Enterprise Edition file
    based)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based
    without patch 128640-15 (for customers with valid support
    contract)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch
    128643-15 (for customers with valid support contract) or
    141700-03 (for customers without valid support contract)

x86 Platform
  * Sun Java System Web Server 6.1
  * Sun Java System Web Server 7.0
  * Sun Java System Web Proxy Server 4.0 through 4.0.12
  * Sun Java System Application Server 8.0 (Enterprise Edition)
  * Sun Java System Application Server 8.1 (Enterprise Edition SVR4)
  * Sun Java System Application Server 8.1 (Enterprise Edition file
    based)
  * Sun Java System Application Server 8.2 (Enterprise Edition SVR4)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based
    without patch 128641-15 (for customers with valid support
    contract)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch
    128644-15 (for customers with valid support contract) or
    141701-03 (for customers without valid support contract)

Linux
  * Sun Java System Web Server 6.1
  * Sun Java System Web Server 7.0
  * Sun Java System Web Proxy Server 4.0 through 4.0.12
  * Sun Java System Application Server 8.0 (Enterprise Edition)
  * Sun Java System Application Server 8.1 (Enterprise Edition Package
    Based)
  * Sun Java System Application Server 8.1 (Enterprise Edition file
    based)
  * Sun Java System Application Server 8.2 (Enterprise Edition Package
    Based)
  * Sun Java System Application Server 8.2 (Enterprise Edition file
    based)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based
    without patch 128642-15 (for customers with valid support
    contract)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch
    128645-15 (for customers with valid support contract) or
    141702-03 (for customers without valid support contract)

HP-UX
  * Sun Java System Web Server 6.1
  * Sun Java System Web Server 7.0
  * Sun Java System Web Proxy Server 4.0 through 4.0.12

Windows
  * Sun Java System Web Server 6.1
  * Sun Java System Web Server 7.0
  * Sun Java System Web Proxy Server 4.0 through 4.0.12
  * Sun Java System Application Server 8.0 (Enterprise Edition)
  * Sun Java System Application Server 8.1 (Enterprise Edition Package
    based)
  * Sun Java System Application Server 8.1 (Enterprise Edition file
    based)
  * Sun Java System Application Server 8.2 (Enterprise Edition Package
    based)
  * Sun Java System Application Server 8.2 (Enterprise Edition file
    based)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB without patch
    128646-15 (for customers with valid support contract) or
    141703-03 (for customers without valid support contract)

Notes:

1. Sun GlassFish Enterprise Server v2.1.1 was formerly referred to as
Sun GlassFish Enterprise Server v2.1 patch 6 also known as Sun Java
System Application Server 9.1 patch 12.

2. Sun Java System Application Server (Platform Edition) and Sun
GlassFish Enterprise Server without HADB are not impacted by this
issue.
To determine the version of Sun Java System Web Proxy Sever on a
system, the following command can be run:
$ <ps_install>/bin/proxy/bin/proxyd -v
Sun Microsystems, Inc.
Sun Java System Web Proxy Server 4.0.6 B05/12/2007 13:24

(Where <ps_install> is the installation directory of the Proxy
Server).
To determine the version of Sun Java System Web Server 6.1 on a
system, the following command can be run:
$ <WS-install>/https-<host>/start -version

(Where <WS-install> is the installation directory of the Web Server
and <host> should be the actual host name on which the Web Server is
installed).
To determine the version of Sun Java System Web Server 7.0 on a
system, the following command can be run:
$ <WS-install>/bin/wadm --version

(Where <WS-install> is the installation directory of the Web Server).
To determine the version of Sun GlassFish Enterprise Server or
Application Server on a system, the following command can be run:
$ <AS-install>/bin/asadmin version

(Where <AS-install> is the installation directory of the Application
Server).


3. Symptoms
There are no predictable symptoms that would indicate this issue has
been exploited.

4. Workaround
To workaround the issue in Sun Java System Web Server, a client
certificate can be obtained during the initial connection handshake.
This mode can be configured by setting the client-auth element to
'required' in server.xml, as in the following example:

<http-listener>
    <ssl>
        <client-auth>required</client-auth>
    </ssl>
</http-listener>

There is no workaround for this issue for the other server products.
Please see the 'Resolution' section below.

5. Resolution
This issue is addressed in the following releases:
SPARC Platform
  * Sun Java System Web Server 7.0 update 7 or later
  * Sun Java System Web Proxy Server Server 4.0.13 or later
  * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based
    with patch 128640-15 or later (for customers with valid
    support contract)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch
    128643-15 or later (for customers with valid support contract)
    or 141700-03 or later (for customers without valid support
    contract)

x86 Platform
  * Sun Java System Web Server 7.0 update 7 or later
  * Sun Java System Web Proxy Server 4.0.13 or later
  * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based
    with patch 128641-15 or later (for customers with valid
    support contract)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch
    128644-15 or later (for customers with valid support contract)
    or 141701-03 or later (for customers without valid support
    contract)

Linux
  * Sun Java System Web Server 7.0 update 7 or later
  * Sun Java System Web Proxy Server 4.0.13 or later
  * Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based
    with patch 128642-15 or later (for customers with valid
    support contract)
  * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch
    128645-15 or later (for customers with valid support contract)
    or 141702-03 or later (for customers without valid support
    contract)

HP-UX
  * Sun Java System Web Server 7.0 update 7 or later
  * Sun Java System Web Proxy Server 4.0.13 or later

Windows
  * Sun Java System Web Server 7.0 update 7 or later
  * Sun Java System Web Proxy Server 4.0.13 or later
  * Sun GlassFish Enterprise Server v2.1.1 with HADB with patch
    128646-15 or later (for customers with valid support contract)
    or 141703-03 or later (for customers without valid support
    contract)

A final resolution is pending completion.
IMPORTANT: The above patches disable TLS session renegotiations. It is
advisable to test these patches with applications that use NSS
libraries before deploying them for wider use.
Notes:

1. Systems with Sun Java System Application Server 8.0 should be
upgraded to a later version and apply the resolution patches mentioned
above.

2. If an application depends on renegotiation feature, it can be
enabled by setting the environment variable
NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental
variable, the fix provided by these patches will have no effect and
the application may become vulnerable to the issue.
For more information on Security Sun Alerts, see Technical
Instruction ID 213557.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLSoXZNVH5XJJInbgRAhrLAJ9ki1ASDj063oScSYi/fB2in2KyLACffGkE
xnmbrDz8Qx4a+/OMFVg1x3A=
=laLS
-----END PGP SIGNATURE-----