|
|
Sun JSSE/Java Plug-In/Java Web Start未正确验证证书漏洞
发布时间:2003-02-12
更新时间:2003-02-12
严重程度:中
威胁程度:欺骗
错误类型:设计错误
利用方式:服务器模式
BUGTRAQ ID:6682
受影响系统Jetty Jetty 4.2.4
Jetty Jetty 4.2.5
Jetty Jetty 4.2.6
Sun Java Web Start 1.0
+Sun Java 2 Standard Edition SDK 1.3
Sun Java Web Start 1.0.1 _02
+Sun Java 2 Standard Edition SDK 1.4
Sun Java Web Start 1.0.1 _01
+Sun Java 2 Standard Edition SDK 1.3
Sun Java Web Start 1.0.1
+Sun Java 2 Standard Edition SDK 1.3
Sun Java Web Start 1.2
Sun JRE (Linux Production Release) 1.3 _05
Sun JRE (Linux Production Release) 1.3 _02
Sun JRE (Linux Production Release) 1.3
Sun JRE (Linux Production Release) 1.3.1 _05
Sun JRE (Linux Production Release) 1.3.1 _03
Sun JRE (Linux Production Release) 1.3.1 _01
Sun JRE (Linux Production Release) 1.3.1
Sun JRE (Linux Production Release) 1.4 .0_02
Sun JRE (Linux Production Release) 1.4
Sun JRE (Linux Production Release) 1.4.1
Sun JRE (Solaris Production Release) 1.3 _05
Sun JRE (Solaris Production Release) 1.3 _02
Sun JRE (Solaris Production Release) 1.3
Sun JRE (Solaris Production Release) 1.3.1 _05
Sun JRE (Solaris Production Release) 1.3.1 _03
Sun JRE (Solaris Production Release) 1.3.1 _01
Sun JRE (Solaris Production Release) 1.4 .0_02
Sun JRE (Solaris Production Release) 1.4
Sun JRE (Solaris Production Release) 1.4.1
Sun JRE (Windows Production Release) 1.3 _05
Sun JRE (Windows Production Release) 1.3 _02
Sun JRE (Windows Production Release) 1.3
Sun JRE (Windows Production Release) 1.3.1 _05
Sun JRE (Windows Production Release) 1.3.1 _03
Sun JRE (Windows Production Release) 1.3.1 _01a
Sun JRE (Windows Production Release) 1.4 .0_02
Sun JRE (Windows Production Release) 1.4
Sun JRE (Windows Production Release) 1.4.1
Sun JSSE 1.0.3
Sun SDK (Linux Production Release) 1.3 _05
Sun SDK (Linux Production Release) 1.3 _02
Sun SDK (Linux Production Release) 1.3.1 _05
Sun SDK (Linux Production Release) 1.3.1 _03
Sun SDK (Linux Production Release) 1.3.1 _01
Sun SDK (Linux Production Release) 1.4 .0_02
Sun SDK (Linux Production Release) 1.4
Sun SDK (Linux Production Release) 1.4.1
Sun SDK (Solaris Production Release) 1.3 _05
Sun SDK (Solaris Production Release) 1.3 _02
Sun SDK (Solaris Production Release) 1.3
Sun SDK (Solaris Production Release) 1.3.1 _05
Sun SDK (Solaris Production Release) 1.3.1 _03
Sun SDK (Solaris Production Release) 1.3.1 _01
Sun SDK (Solaris Production Release) 1.4 .0_02
Sun SDK (Solaris Production Release) 1.4
Sun SDK (Solaris Production Release) 1.4.1
Sun SDK (Windows Production Release) 1.3 _05
Sun SDK (Windows Production Release) 1.3 _02
Sun SDK (Windows Production Release) 1.3.1 _05
Sun SDK (Windows Production Release) 1.3.1 _03
Sun SDK (Windows Production Release) 1.3.1 _01a
Sun SDK (Windows Production Release) 1.4 .0_02
Sun SDK (Windows Production Release) 1.4
Sun SDK (Windows Production Release) 1.4.1 详细描述
Sun Java安全套接字扩展(Sun Java Secure Socket Extension,JSSE)、Java Plug-In、Java Web Start没有正确地对证书进行验证。
对于JSSE来说,这可能导致不可信的甚至是潜在恶意Web站点成功地通过认证进行SSL传输。漏洞来源在于用一个X509TrustManager实例初始化SSLContext时存在问题,使JSSE不能正确地做出判断。
对于Java Plug-In或Java Web Start,此漏洞可能导致不可信的代码被当成可信代码执行。
解决方案
厂商在新版软件中修补了这些漏洞:
Jetty Upgrade Jetty-4.2.7-src.tgz
http://prdownloads.sourceforge.net/jetty/Jetty-4.2.7-src.tgz?download
Sun Upgrade JSSE 1.0.3_01
http://java.sun.com/products/jsse/index-103.html
相关信息
Sun Alert ID: 50081
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081
|
