Bugtraq mailing list archives
(SSRT0822) Security Bulletin - Compaq & Java Proxy/VM Potential Security Vulnerabilities (fwd)
From: Dave Ahmad <da () securityfocus com>
Date: Tue, 14 May 2002 19:49:44 -0600 (MDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SECURITY BULLETIN
TITLE: (SSRT0822) Java(tm) Runtime Environment - Proxy and JVM
Potential Security Vulnerabilities
NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.
Posted at:
http://www.support.compaq.com/patches/mailing-list.shtml
RELEASE DATE: May 2002
SEVERITY: HIGH
SOURCE:
Compaq Computer Corporation
Compaq Services
Software Security Response Team
REFERENCE:
SUN Bulletin #00216 & #00218, CVE CAN-2002-0058 , CVE
CAN-2002-0076
________________
PROBLEM SUMMARY:
When using Microsoft Internet Explorer or NetScape Navigator to
browse to Compaq products incorporating affected versions of the
Java Runtime Environment, users may become vulnerable to attack
from untrusted applets. These applets may be able to increase
their privileges on the user system and potentially gain un-
authorized access to system resources. This potential problem
would exist on either side of a corporate firewall.
Sun Microsystems published two security bulletins regarding
potential vulnerabilities in Java(tm).
o The first is a security bulletin (#00216) regarding a
potential runtime environmental redirection issue that
may allow an untrusted applet to monitor requests to
and responses from an HTTP proxy server when a persistent
connection is used between a client and an HTTP proxy server.
NOTE: Only systems that have a HTTP proxy configured would be
vulnerable to this potential exploit.
o The second is a security bulletin (#00218) regarding a
potential vulnerability to attack of the Java Runtime
Environment Bytecode Verifier. The security advisory
states, "A vulnerability in the Java(TM) Runtime
Environment Bytecode Verifier may be exploited by an
untrusted applet to escalate privileges."
__________________
VERSIONS IMPACTED:
Compaq Management Software
Compaq Insight Manager 7, Compaq Insight Manager XE, the
Compaq Management Agents and the Remote Insight Lights-Out
Edition Card leverage Java technology to deliver portions of their
functionality. The Java software causing this problem is delivered
as part of the Java Runtime Environment used to enable access to
these management products and as part of the server-side software
embedded in Compaq Insight Manager XE and Compaq Insight
Manager 7.
o Compaq Insight Manager XE
Compaq Insight Manager XE uses the Microsoft Java Runtime
Environment integrated into Microsoft Internet Explorer.=3D3D20
o Compaq Insight Manager 7
Compaq Insight Manager 7 uses the Sun Java Runtime Environment
version 1.3.1 in place of the Microsoft Java Runtime
Environment.
o Compaq Management Agents
See resolution Section
o Remote Insight Lights-Out Edition
See resolution Section
Compaq Tru64 UNIX
V4.0f SDK and JRE 1.1.7B-2
V4.0g SDK and JRE 1.1.7B-2
V5.0a SDK and JRE 1.1.7B-6
V5.1 SDK and JRE 1.1.8-6 (default) and 1.2.2-6
Compaq Nonstop Himalaya
No applets run on the Compaq NonStop Himalaya operating systems.
This is not a vulnerability on these systems.
Compaq OpenVMS
V7.2 V7.2-1 SDK and JRE 1.1.6-2
V7.2-1h1 SDK and JRE 1.1.6-2
V7.2-1h2 SDK and JRE 1.1.6-2
V7.2-2 SDK and JRE 1.1.6-2
V7.3 SDK and JRE 1.1.8-5 (includes fix)
*Please note that this is an issue for the Alpha
architecture only. OpenVMS on Vax does not support Java.
___________
RESOLUTION:
The following table outlines the suggested resolutions to the
vulnerabilities described above. Suggested remedies will be
different on a product-by-product depending on developer of
the Java Runtime Environment and any dependencies for
synchronization between server and client side components.
Compaq Insight Manager XE
Compaq Insight Manager XE uses the Microsoft Java Runtime
Environment integrated into Microsoft Internet Explorer.
Compaq recommends that Compaq Insight Manager XE users
upgrade to Compaq Insight Manager 7 SP1 that will be
available for download in the first half of May at
http://www.compaq.com/manage. Compaq Insight Manager 7 SP1
leverages version 1.3.1_02 of the Sun Java Runtime Environment
that addresses the vulnerability described above. Prior to the
release of Compaq Insight Manager 7 SP1, Compaq recommends that
users exercise care when browsing to sites outside of the
internal network using a browser with a vulnerable version of
the Microsoft Java Runtime Environment. While it is possible
to update the browser to the version of the Java Runtime
Environment recommended by Microsoft, this version has not been
tested with Compaq Insight Manager XE and Compaq cannot
guarantee that Insight Manager XE will function properly.
Compaq Insight Manager 7
Compaq Insight Manager 7 uses the Sun Java Runtime Environment
version 1.3.1 in place of the Microsoft Java Runtime Environment.
Compaq is in the process of incorporating version 1.3.1_02 of the
runtime environment, which fixes the aforementioned vulnerability,
into Compaq Insight Manager 7 Service Pack 1. Compaq Insight
Manager 7 SP1 will be available at the beginning of May. Users
may not use version 1.3.1_02 of the plug-in with the current
version of Compaq Insight Manager 7 as newer versions of the Sun
Java Runtime Environment are not backwards compatible and the
Insight Manager 7 may not function properly if client
and server side runtime environments are not of the same version.
Compaq recommends that current Compaq Insight Manager 7 users
close Microsoft Internet Explorer prior to browsing to
untrusted sites outside of the corporate firewall. This will
ensure that the Java plug-in is closed prior to browsing to
sites on the public Internet. With Compaq Insight Manager 7 SP1,
the requirement to close the browser prior to visiting public
sites will be removed.
Compaq Management Agents
Update to the version of the Java Runtime Environment that
Microsoft Recommends. This information may be found at
http://www.microsoft.com/java/vm/dl_vm40.htm
Remote Insight Lights-Out Edition / Integrated Lights-Out
on ProLiant DL360 G2
Update to the Java(tm) 2 Runtime Environment, Standard Edition,
version 1.3.1_02. To download this software simply click on
the hyperlink http://java.sun.com/j2se/1.3/
Compaq TRU64 UNIX
Tru64 UNIX - Java 1.1.7B-10
Tru64 UNIX - Java 1.1.8-13 (includes fix)
Tru64 UNIX - Java 1.2.2-12
Tru64 UNIX - Java 1.3.0-1
Tru64 UNIX - Java 1.3.1-2 (includes fix)
It is critical that the information posted at
http://www.compaq.com/java/alpha be reviewed before updating Java.
Tru64 UNIX 5.0 and higher include some Java-based tools that
depend on the Java environment version that ships with the
operating system and is installed in /usr/bin. If you change
the default system Java environment version, some operating
system tools, such as the SysMan Station, the SysMan Station
authentication daemon, and the Logical Storage Manager (LSM)
Storage Administrator, will not work correctly.
Compaq OpenVMS
The following table shows Java versions that are available at
http://www.compaq.com/java/alpha and indicates if the version
includes
the fix:
Compaq OpenVMS - Java 1.1.8-5 (includes fix)
Compaq OpenVMS - Java 1.2.2-3
Compaq OpenVMS - Java 1.3.0-2 (includes fix)
Compaq OpenVMS - Java 1.3.1-2 (includes fix)
It is critical that the information posted at
http://www.compaq.com/java/alpha be reviewed before updating Java.
__________
SUBSCRIBE:
To subscribe to automatically receive future Security
Advisories from the Compaq's Software Security Response Team via
electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml
_______
REPORT:
To report a potential security vulnerability with any Compaq
supported product, send email mailto:security-ssrt () compaq com
or mailto:sec-alert () compaq com
Compaq appreciates your cooperation and patience. As always,
Compaq urges you to periodically review your system management
and security procedures. Compaq will continue to review and
enhance the security features of its products and work with
our customers to maintain and improve the security and integrity
of their systems.
"Compaq is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected Compaq products the
important security information contained in this Bulletin.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take appropriate
action. Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Bulletin."
Copyright 2002 Compaq Information Technologies Group, L.P.
Compaq shall not be liable for technical or editorial errors
or omissions contained herein. The information in this document
is subject to change without notice. Compaq and the names of
Compaq products referenced herein are, either, trademarks
and/or service marks or registered trademarks and/or service
marks of Compaq Information Technologies Group, L.P. Other product
and company names mentioned herein may be trademarks and/or service
marks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPOFxFDnTu2ckvbFuEQKjvQCgrIbosO8ILvkzRikR2nit/mzy1k4An3TK
aVsSiWVhRI67p1RCnquAtuf2
=VRtm
-----END PGP SIGNATURE-----
Current thread:
- (SSRT0822) Security Bulletin - Compaq & Java Proxy/VM Potential Security Vulnerabilities (fwd) Dave Ahmad (May 14)