|
Sun Java System Products NSS SSLv2 Processing Buffer Overflows
|
|
|
|
|
Secunia Advisory:
|
SA25597
|
|
|
Release Date:
|
2007-06-12
|
|
Last Update:
|
2007-08-30
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| Software: | Sun Java System Application Server 8.x
Sun Java System Web Proxy Server 4.x
Sun Java System Web Server (Sun ONE/iPlanet) 6.x
Sun Java System Web Server 7.x
|
| | CVE reference: | CVE-2007-0008 (Secunia mirror)
CVE-2007-0009 (Secunia mirror)
|
|
|
|
|
|
Description:
Sun has acknowledged some vulnerabilities in various Sun Java System products, which potentially can be exploited by malicious people to compromise a vulnerable system.
For more information:
SA24253
Please see the vendor advisory for a list of affected products.
Note: SSLv2 is disabled by default in the Sun Java System Application Server, Sun Java System Web Server, and Sun Java System Web Proxy Server.
Solution:
Apply patches or disable SSLv2.
-- SPARC Platform --
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-16 or later or (SVR4) patch 119166-24 or later
Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119173-16 or later or (SVR4) patch 119166-24 or later
Sun Java System Web Server 6.1 with Service Pack 8 or later
Sun Java System Web Server 6.1 with patch 116648-20 or later
Sun Java System Web Server 7.0 with Update 1 or later
Sun Java System Web Server 7.0 with patch 125437-07 or later
Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later
Sun Java System Web Proxy Server 4.0 with patch 120981-12 or later
-- x86 Platform --
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-16 or later or (SVR4) patch 119167-24 or later
Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119174-16 or later or (SVR4) patch 119167-24 or later
Sun Java System Web Server 6.1 with Service Pack 8 or later
Sun Java System Web Server 6.1 with patch 116649-20 or later
Sun Java System Web Server 7.0 with Update 1 or later
Sun Java System Web Server 7.0 with patch 125438-07 or later
Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later
Sun Java System Web Proxy Server 4.0 with patch 120982-12 or later
-- Linux Platform --
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-16 or later or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-24 or later
Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119175-16 or later or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-24 or later
Sun Java System Web Server 6.1 with Service Pack 8 or later
Sun Java System Web Server 6.1 with patch 118202-12 or later
Sun Java System Web Server 7.0 with Update 1 or later
Sun Java System Web Server 7.0 with patch 125439-07 or later
Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later
Sun Java System Web Proxy Server 4.0 with patch 120983-12 or later
-- AIX Platform --
Sun Java System Web Server 6.1 with Service Pack 8 later
-- HP-UX Platform --
Sun Java System Web Server 6.1 with Service Pack 8 or later
Sun Java System Web Server 7.0 with Update 1 or later
Sun Java System Web Server 7.0 with patch 125440-01 or later
Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later
-- Windows Platform --
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119172-16 or later or (package based patch) 122848-09 or later
Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119176-16 or later
Sun Java System Web Server 6.1 with Service Pack 8 or later
Sun Java System Web Server 6.1 with patch 121524-04 or later
Sun Java System Web Server 7.0 with Update 1 or later
Sun Java System Web Server 7.0 with patch 125441-06 or later
Sun Java System Web Proxy Server 4.0 with Service Pack 5 or later
A final resolution is pending completion.
Changelog:
2007-08-30: Updated "Description" and "Solution section.
Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102945-1
Other References:
SA24253:
http://secunia.com/advisories/24253/
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
33 Related Secunia Security Advisories, displaying 10
|
|
|
1. Sun Java System Web Proxy Server FTP Subsystem Denial of Service
|
|
2. Sun Java System Web Server Advanced Search Cross-Site Scripting
|
|
3. Sun Java System Web Server Search Module Cross-Site Scripting Vulnerability
|
|
4. Sun Java System Web Server / Application Server JSP Information Disclosure
|
|
5. Sun Java System Web Server / Web Proxy Server Cross-Site Scripting
|
|
6. Sun Java System Web Proxy Server Multiple Vulnerabilities
|
|
7. Sun Java System Web Server "redirect" Vulnerability
|
|
8. Sun Java System Application Server JSP Source Code Disclosure
|
|
9. Sun Java System Web / Application Server XSLT Processing Vulnerability
|
|
10. Sun Java System Web Proxy Server SOCKS Module Buffer Overflows
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
