Sun JSSE incorrectly validates digital certificates
| sun-jsse-improper-validation (16194) |  Medium Risk |
Description:
Sun Microsystem's JSSE (Java Secure Socket Extension) improperly validates SSL (Secure Socket Layer) digital certificates. A remote attacker could use this vulnerability to spoof a trusted server.
Consequences:
Bypass Security
Remedy:
Upgrade to the latest version of Sun JSSE (1.0.3_03 or later), as listed in Sun Alert ID:: 57560 for more information. See References.
References:
- Sun Alert ID: 57560: Java Secure Socket Extension (JSSE) May Incorrectly Validate .
- BID-10387: Java Secure Socket Extension Certificate Validation Vulnerability
- CVE-2004-2393: Java Secure Socket Extension (JSSE) 1.0.3 through 1.0.3_2 does not properly validate the certificate chain of a client or server, which allows remote attackers to falsely authenticate peers for SSL/TLS.
- OSVDB ID: 6299: Java Secure Socket Extension Server Certificate Validation Error
- SA11639: Java Secure Socket Extension Unspecified Server Certificate Validation Vulnerability
- SECTRACK ID: 1010193: Sun Java Secure Socket Extension (JSSE) Authentication Flaw May Validate Invalid Certificates
Platforms Affected:
- Sun JSSE 1.0.3
- Sun JSSE 1.0.3_01
- Sun JSSE 1.0.3_02
Reported:
May 18, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net