Incorrect Certificate Validation in Java Secure Socket Extension
From: Alex Loots (a.loots@itsec-ss.nl)
Date: 01/28/03
- Previous message: Mandrake Linux Security Team: "MDKSA-2003:011 - Updated fetchmail packages fix remote exploit vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Jan 2003 09:04:29 +0100 From: Alex Loots <a.loots@itsec-ss.nl> To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
According to SUN it has been reported that: "the Java Secure Socket
Extension (JSSE) may incorrectly validate the digital certificate of a
web site. This may result in untrustworthy web sites being
authenticated for SSL transactions. The Java Plug-in and Java Web Start
may incorrectly validate the digital certificates of signed JAR files.
This may result in untrustworthy code being executed as trusted code."
From the JSSE changelog: "If an SSLContext was initialized
(SSLContext.init()) with an instance of the X509TrustManager
implementation, JSSE 1.0.3 incorrectly called the isClientTrusted()
method when making server trust decisions."
The SUN bulletin:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081&zone_32=category%3Asecurity
The changelog Java(tm) Secure Socket Extension 1.0.3_01 mentions this
vulnerability
http://java.sun.com/products/jsse/CHANGES.txt
-- -Alex
- Next message: Michael Brown: "ProxyView default undocumented password"
- Previous message: Mandrake Linux Security Team: "MDKSA-2003:011 - Updated fetchmail packages fix remote exploit vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
