The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of JDK, JRE, SDK: denial of service of JSSE

Synthesis of the vulnerability 

An attacker can connect to SSL services created with JSSE in order to generate a denial of service.
Impacted products: HPE NMC, OpenView, OpenView NNM, OpenView Operations, NLD, OES, Java Oracle, RHEL, SLES.
Severity of this bulletin: 2/4.
Creation date: 12/07/2007.
Références of this threat: 102934, 102958, 102997, 6483556, 6483560, 6490790, 6542796, BID-24846, c01269450, c01601492, CVE-2007-3698, HPSBMA02288, HPSBMA02384, RHSA-2007:0956-01, RHSA-2007:1086-01, RHSA-2008:0100-01, RHSA-2008:0132-01, SSRT071465, SUSE-SA:2008:025, VIGILANCE-VUL-6999.

Description of the vulnerability 

The JSSE extension (Java Secure Socket Extension) permits to create SSL/TLS services.

However, JSSE does not correctly handle the handshake, which leads to an overload of processor.

An attacker can therefore connect to a SSL/TLS service provided by JSSE in order to generate a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness alert impacts software or systems such as HPE NMC, OpenView, OpenView NNM, OpenView Operations, NLD, OES, Java Oracle, RHEL, SLES.

Our Vigil@nce team determined that the severity of this weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this weakness bulletin.

Solutions for this threat 

Java JDK/JRE: version 6.0 Update 2.
Version 6.0 Update 2 is corrected:
  http://java.sun.com/javase/downloads/index.jsp
  http://java.sun.com/javase/6/webnotes/ReleaseNotes.html
For Solaris :
  Sparc :
    32 bits : patch 125136-04
    64 bits : patch 125137-04
  x86 :
    32 bits : patch 125138-04
    64 bits : patch 125139-04

JDK, JRE: version 5.0 Update 12.
Version 5.0 Update 12 is corrected:
  http://java.sun.com/javase/downloads/index_jdk5.jsp
Then, documents created by JavaDoc have to be regenerated.

SDK, JRE: version 1.4.2_15.
Version 1.4.2_15 is corrected:
  http://java.sun.com/j2se/1.4.2/download.html

OpenView Operations: patch for Java.
A patch is available:
  OVO 7.1X
    HP-UX B.11.11 : PHSS_37197
    Solaris : ITOSOL_00619
  OVO 8.X
    HP-UX B.11.11 : PHSS_37183
    HP-UX B.11.23 (PA) : PHSS_37183
    HP-UX B.11.23 (IA) : PHSS_37182
    HP-UX B.11.31 : PHSS_37182
    Solaris : ITOSOL_00618

OpenView NNM: patch for JSSE.
A patch is available (http://support.openview.hp.com/selfsolve/patches):
OV NNM v7.53
  HP-UX (IA) : PHSS_38148
  HP-UX (PA) : PHSS_38147
  Linux RedHatAS2.1 : LXOV_00085
  Linux RedHat4AS-x86_64 : LXOV_00086
  Solaris : PSOV_03514
  Windows : NNM_01192
OV NNM v7.01
  HP-UX (PA) : PHSS_38761
  Solaris : PSOV_03516
  Windows : NNM_01194

RHEL 3E, 4E, 5S: new java-1.4.2-bea packages.
New packages are available:
Red Hat Enterprise Linux version 3 : java-1.4.2-bea-1.4.2.16-1jpp.1.el3
Red Hat Enterprise Linux version 4 : java-1.4.2-bea-1.4.2.16-1jpp.1.el4
Red Hat Enterprise Linux version 5 : java-1.4.2-bea-1.4.2.16-1jpp.1.el5

RHEL 3E, 4E, 5S: new java-1.4.2-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 3 Extras: java-1.4.2-ibm-1.4.2.10-1jpp.2.el3
Red Hat Enterprise Linux version 4 Extras: java-1.4.2-ibm-1.4.2.10-1jpp.2.el4
Red Hat Enterprise Linux version 5 Supplementary : java-1.4.2-ibm-1.4.2.10-1jpp.2.el5

RHEL 4 Extras: new java-1.4.2-bea packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras: java-1.4.2-bea-1.4.2.15-1jpp.2.el4

RHEL: new java-1.5.0-bea packages.
New packages are available:
Red Hat Enterprise Linux version 4: java-1.5.0-bea-1.5.0.11-1jpp.2.el4
Red Hat Enterprise Linux version 5: java-1.5.0-bea-1.5.0.11-1jpp.1.el5

SUSE: new IBMJava5 packages.
New packages are available:
  http://support.novell.com/techcenter/psdb/9a5ab06f4b454def4dc88e7b2a5b241b.html

SUSE: new IBM Java packages.
New packages are available:
   SUSE Linux Enterprise Desktop 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
   SUSE Linux Enterprise Server 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   SLE SDK 10 SP1
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   Open Enterprise Server
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   Novell Linux POS 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   SUSE SLES 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer vulnerability announces. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.