Bugtraqmailing list archives

By Date

By Thread

(SSRT0822) Security Bulletin - Compaq & Java Proxy/VM Potential Security Vulnerabilities (fwd)

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1SECURITY BULLETINTITLE: (SSRT0822) Java(tm) Runtime Environment - Proxy and JVM                  Potential Security VulnerabilitiesNOTICE: There are no restrictions for distribution of this Bulletinprovided that it remains complete and intact.Posted at:http://www.support.compaq.com/patches/mailing-list.shtmlRELEASE DATE: May 2002SEVERITY:   HIGHSOURCE:            Compaq Computer Corporation            Compaq Services            Software Security Response TeamREFERENCE:            SUN Bulletin #00216 & #00218, CVE CAN-2002-0058 , CVE            CAN-2002-0076________________PROBLEM SUMMARY: When using Microsoft Internet Explorer or NetScape Navigator to browse to Compaq products incorporating affected versions of the Java Runtime Environment, users may become vulnerable to attack from untrusted applets.  These applets may be able to increase their privileges on the user system and potentially gain un- authorized access to system resources. This potential problem would exist on either side of a corporate firewall. Sun Microsystems published two security bulletins regarding potential vulnerabilities in Java(tm).     o The first is a security bulletin (#00216) regarding a       potential runtime environmental redirection issue that       may allow an untrusted applet to monitor requests to       and responses from an HTTP proxy server when a persistent       connection is used between a client and an HTTP proxy server.  NOTE: Only systems that have a HTTP proxy configured would be  vulnerable to this potential exploit.     o The second is a security bulletin (#00218) regarding a       potential vulnerability to attack of the Java Runtime       Environment Bytecode Verifier. The security advisory       states, "A vulnerability in the Java(TM) Runtime       Environment Bytecode Verifier may be exploited by an       untrusted applet to escalate privileges."__________________VERSIONS IMPACTED: Compaq Management Software   Compaq Insight Manager 7, Compaq Insight Manager XE, the   Compaq Management Agents and the Remote Insight Lights-Out   Edition Card leverage Java technology to deliver portions of their   functionality. The Java software causing this problem is delivered   as part of the Java Runtime Environment used to enable access to   these management products and as part of the server-side software   embedded in Compaq Insight Manager XE and Compaq Insight   Manager 7.   o Compaq Insight Manager XE     Compaq Insight Manager XE uses the Microsoft Java Runtime     Environment integrated into Microsoft Internet Explorer.=3D3D20   o Compaq Insight Manager 7     Compaq Insight Manager 7 uses the Sun Java Runtime Environment     version 1.3.1 in place of the Microsoft Java Runtime     Environment.   o Compaq Management Agents     See resolution Section   o Remote Insight Lights-Out Edition     See resolution Section Compaq Tru64 UNIX      V4.0f    SDK and JRE 1.1.7B-2      V4.0g    SDK and JRE 1.1.7B-2      V5.0a    SDK and JRE 1.1.7B-6      V5.1     SDK and JRE 1.1.8-6 (default) and 1.2.2-6 Compaq Nonstop Himalaya     No applets run on the Compaq NonStop Himalaya operating systems.     This is not a vulnerability on these systems. Compaq OpenVMS      V7.2 V7.2-1  SDK and JRE 1.1.6-2      V7.2-1h1     SDK and JRE 1.1.6-2      V7.2-1h2     SDK and JRE 1.1.6-2      V7.2-2       SDK and JRE 1.1.6-2      V7.3         SDK and JRE 1.1.8-5 (includes fix)      *Please note that this is an issue for the Alpha       architecture only. OpenVMS on Vax does not support Java.___________RESOLUTION: The following table outlines the suggested resolutions to the vulnerabilities described above. Suggested remedies will be different on a product-by-product depending on developer of the Java Runtime Environment and any dependencies for synchronization between server and client side components. Compaq Insight Manager XE   Compaq Insight Manager XE uses the Microsoft Java Runtime   Environment integrated into Microsoft Internet Explorer.   Compaq recommends that Compaq Insight Manager XE users   upgrade to Compaq Insight Manager 7 SP1 that will be   available for download in the first half of May athttp://www.compaq.com/manage. Compaq Insight Manager 7 SP1   leverages version 1.3.1_02 of the Sun Java Runtime Environment   that addresses the vulnerability described above. Prior to the   release of Compaq Insight Manager 7 SP1, Compaq recommends that   users exercise care when browsing to sites outside of the   internal network using a browser with a vulnerable version of   the Microsoft Java Runtime Environment.  While it is possible   to update the browser to the version of the Java Runtime   Environment recommended by Microsoft, this version has not been   tested with Compaq Insight Manager XE and Compaq cannot   guarantee that Insight Manager XE will function properly. Compaq Insight Manager 7   Compaq Insight Manager 7 uses the Sun Java Runtime Environment   version 1.3.1 in place of the Microsoft Java Runtime Environment.   Compaq is in the process of incorporating version 1.3.1_02 of the   runtime environment, which fixes the aforementioned vulnerability,   into Compaq Insight Manager 7 Service Pack 1.  Compaq Insight   Manager 7 SP1 will be available at the beginning of May. Users   may not use version 1.3.1_02 of the plug-in with the current   version of Compaq Insight Manager 7 as newer versions of the Sun   Java Runtime Environment are not backwards compatible and the   Insight Manager 7 may not function properly if client   and server side runtime environments are not of the same version.   Compaq recommends that current Compaq Insight Manager 7 users   close Microsoft Internet Explorer prior to browsing to   untrusted sites outside of the corporate firewall.  This will   ensure that the Java plug-in is closed prior to browsing to   sites on the public Internet.  With Compaq Insight Manager 7 SP1,   the requirement to close the browser prior to visiting public   sites will be removed. Compaq Management Agents   Update to the version of the Java Runtime Environment that   Microsoft Recommends.  This information may be found athttp://www.microsoft.com/java/vm/dl_vm40.htm Remote Insight Lights-Out Edition / Integrated Lights-Out on ProLiant DL360 G2   Update to the Java(tm) 2 Runtime Environment, Standard Edition,   version 1.3.1_02.  To download this software simply click on   the hyperlinkhttp://java.sun.com/j2se/1.3/ Compaq TRU64 UNIX   Tru64 UNIX - Java 1.1.7B-10   Tru64 UNIX - Java 1.1.8-13 (includes fix)   Tru64 UNIX - Java 1.2.2-12   Tru64 UNIX - Java 1.3.0-1   Tru64 UNIX - Java 1.3.1-2 (includes fix)   It is critical that the information posted athttp://www.compaq.com/java/alpha be reviewed before updating Java.   Tru64 UNIX 5.0 and higher include some Java-based tools that   depend on the Java environment version that ships with the   operating system and is installed in /usr/bin. If you change   the default system Java environment version, some operating   system tools, such as the SysMan Station, the SysMan Station   authentication daemon, and the Logical Storage Manager (LSM)  Storage Administrator, will not work correctly. Compaq OpenVMS   The following table shows Java versions that are available athttp://www.compaq.com/java/alpha  and indicates if the versionincludes   the fix:   Compaq OpenVMS - Java 1.1.8-5 (includes fix)   Compaq OpenVMS - Java 1.2.2-3   Compaq OpenVMS - Java 1.3.0-2 (includes fix)   Compaq OpenVMS - Java 1.3.1-2 (includes fix)   It is critical that the information posted athttp://www.compaq.com/java/alpha be reviewed before updating Java.__________SUBSCRIBE:To subscribe to automatically receive future SecurityAdvisories from the Compaq's Software Security Response Team viaelectronic mail:http://www.support.compaq.com/patches/mailing-list.shtml_______REPORT:To report a potential security vulnerability with any Compaqsupported product, send emailmailto:security-ssrt () compaq comormailto:sec-alert () compaq comCompaq appreciates your cooperation and patience. As always,Compaq urges you to periodically review your system managementand security procedures. Compaq will continue to review andenhance the security features of its products and work withour customers to maintain and improve the security and integrityof their systems."Compaq is broadly distributing this Security Bulletin in order tobring to the attention of users of the affected Compaq products theimportant security information contained in this Bulletin.Compaq recommends that all users determine the applicability ofthis information to their individual situations and take appropriateaction.  Compaq does not warrant that this information is necessarilyaccurate or complete for all user situations and, consequently,Compaq will not be responsible for any damages resulting fromuser's use or disregard of the information provided in thisBulletin."Copyright 2002 Compaq Information Technologies Group, L.P.Compaq shall not be liable for technical or editorial errorsor omissions contained herein. The information in this documentis subject to change without notice. Compaq and the names ofCompaq products referenced herein are, either, trademarksand/or service marks or registered trademarks and/or servicemarks of Compaq Information Technologies Group, L.P. Other productand company names mentioned herein may be trademarks and/or servicemarks of their respective owners.-----BEGIN PGP SIGNATURE-----Version: PGP 7.0.1iQA/AwUBPOFxFDnTu2ckvbFuEQKjvQCgrIbosO8ILvkzRikR2nit/mzy1k4An3TKaVsSiWVhRI67p1RCnquAtuf2=VRtm-----END PGP SIGNATURE-----

By Date

By Thread

Current thread:

• (SSRT0822) Security Bulletin - Compaq & Java Proxy/VM Potential Security Vulnerabilities (fwd)Dave Ahmad (May 14)