Thursday Dec 16, 2010

Index of Security Sun Alerts and Mappings for Legacy SunSolve Links

SunSolve support portal http://sunsolve.sun.com was replaced by http://support.oracle.com (My Oracle Support) earlier this week. All Security Sun Alerts are now accessible to customers through support.oracle.com website. Old URLs pointing to sunsolve.sun.com with Sun Alert document IDs do not redirect automatically to their new URLs on support.oracle.com. The Document ID numbers under Oracle support portal are new and different from the document ID numbers published under SunSolve.

To make referring to these Sun Alerts easier, we are providing a mapping of the old Sun Alert IDs to new Oracle IDs and an archive of Sun Alerts at:
http://download.oracle.com/sunalerts

SunSolve itself had transitioned to different knowledge management systems resulting in multiple legacy document IDs for the same Sun Alert. The above mapping also lists any such previously used ID numbers and URLs formats.

New Security Sun Alerts are no longer published as of April 2010. Customers are alerted about Security vulnerabilities using Oracle Security Alert process. Details can be found on the Critical Patch Updates and Security Alerts site.

Tuesday Oct 12, 2010

October 2010 Oracle Critical Patch Update Advisories are Available

Oracle has released the October 2010 Critical Patch Update (CPUOct2010) and a Critical Patch Update for Java SE and Java for Business.

These security advisories list a number of critical security vulnerability fixes in Sun products. There are links to Patch Availability Documents that list the patches and upgrades required to resolve the vulnerabilities.

We are also providing Solaris OS CPU Patch Clusters for Solaris 9 and 10 available for download from SunSolve. These clusters contains all the patches required to resolve the Solaris vulnerabilities mentioned in the October CPU and other vulnerabilities in third party components used in Solaris.

Please refer to:

Friday Oct 01, 2010

Mapping between CVE numbers and Solaris patches for October 2010 CPU

Hi, this is Eric Maurice.

In a previous blog entry, we invited customers to provide feedback in regards to the content of the Critical Patch Update advisory for Oracle Sun products. Such feedback is very valuable, and continues to drive the definition of Oracle Software Security Assurance policies.

As a result of the feedback received, Oracle has updated its policies to include the mapping of each vulnerability's CVE number to the particular Solaris package patch version (patchid), in all future Solaris CPU Patch Availability Documents. The updated policy will be effective with the October 2010 Critical Patch Update onward.

With the Critical Patch Update, Oracle's objective is to positively influence the security posture of all customers by providing the most effective vulnerability remediation program in the industry. This means not only producing effective, fully tested, security patches on all supported platform and version combinations every quarter, but also providing sufficient information about the newly-fixed vulnerabilities to enable customers to make proper patching decision and effectively manage their security management costs.

For More Information:

Tuesday Aug 03, 2010

Mapping between CVE numbers and Solaris patches for CPU July 2010

Oracle updated the July 2010 Critical Patch Update documentation to provide the mapping between CVE numbers and Solaris patches. This mapping is also provided in the table below.

We encourage customers to contact secalert_us@oracle.com to ensure that Oracle's updated documentation meets the needs of its customers, particularly as they relate to the CVE to patch mapping.

Your feedback will help Oracle understand the specific requirements of your organization, and for example, will help determine if such mapping should be included in all CPU advisories. Below is the mapping table between CVE numbers and Solaris patches. This information will also be available in the updated patch availability document referenced in the Critical Patch Update.

You can find the July 2010 Critical Patch Update at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html.

CVE # Component Solaris 8 Solaris 9 Solaris 10
SPARC X86 SPARC X86 SPARC X86
CVE-2010-0083 ToolTalk 110286-17 110287-17 112808-11 113797-09 143733-01 143734-01
CVE-2008-4247 FTP Server 111606-08 111607-08 114564-15 114565-15 140399-03 140400-03
CVE-2010-0916 rdist 140159-03 140160-03
CVE-2010-2392 ZFS 142900-12 142901-12
CVE-2010-2386 GigaSwift Ethernet Driver 111883-37 112817-33 117714-17 118777-14 118778-12
CVE-2010-2394 TCP/IP 142900-12 142901-12
CVE-2010-2399 Kernel/VM 142900-07 142901-07
CVE-2010-2400 Kernel/Filesystem 122300-50 122301-50 142900-08 142901-08
CVE-2010-2393 Kernel/RPC 144254-01 144255-01
CVE-2010-2376 Solaris Management Console 113749-04 113750-04 114503-17 114504-17 119315-21 119316-21
CVE-2010-2382 Install Software 109318-40 109319-39 113434-38 114196-36 119534-19 119535-19
CVE-2010-2383 NFS 119819-03 119820-03 122300-53 122301-52 144106-01 144107-01
CVE-2010-2384 Solaris Management Console 144323-01 144324-01 144325-01 144326-01

Note: Releases or platforms where there is no patch listed are not vulnerable to corresponding issue.

Thursday Mar 25, 2010

Advance notification of Security Updates for Java SE

On March 30, 2010, Oracle will release the following security updates:
  • JDK and JRE 6 Update 19
  • JDK and JRE 5.0 Update 24
  • SDK and JRE 1.4.2_26
An Oracle Java SE and Java for Business Critical Patch Update advisory will published in place of Sun Alerts. Pre-Release announcements for future security updates will be published at the Oracle Critical Patch Updates and Security Alerts website.

Thursday Jan 07, 2010

Vulnerability in TLS Protocol during Renegotiation [CVE-2009-3555]

A security vulnerability in the TLS protocol (TLS 1.0 or later and SSLv3) may allow an unauthenticated, remote attacker to conduct man-in-the-middle (MITM) type of attacks where chosen plain text may be injected as a prefix in an user's TLS session. This vulnerability does not allow one to decrypt or modify the intercepted network communication.

This issue is referenced in CVE-2009-3555 and US-CERT VU#120541

Exact nature of the impact depends on the application making use of the TLS facility.

Sun is evaluating the impact of the issue on various products which make use of the TLS libraries. We are working to fix the TLS implementations according to the TLS protocol standard extensions RFC 5746.

  • Solaris Kernel SSL:
    Solaris Kernel SSL proxy module KSSL does not support client renegotiation or rehandshake. It ignores the rehandshake message which is an allowed behavior by the SSL/TLS specification. Hence it is not vulnerable to this issue. KSSL (see ksslcfg(1M)) is available in Solaris 10 and OpenSolaris. It may be used to workaround the described issue in server applications.

  • Java:
    The Java Secure Socket Extension (JSSE) included in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux are affected:

    • JDK and JRE 6 Update 17 and earlier
    • JDK and JRE 5.0 Update 22 and earlier
    • SDK and JRE 1.4.2_24 and earlier

    An interim fix, that disables TLS/SSL renegotiation in JSSE by default, is included in March 2010 Java security update.

  • GnuTLS libraries in Solaris:
    The issue does not affect any server applications distributed with Solaris which use the GnuTLS library. At this time we do not plan to issue any interim fixes to GnuTLS libraries. Fixes to GnuTLS distributed with Solaris would be provided when the proposed TLS extensions become a standard.

  • OpenSSL libraries in Solaris:
    Sun Alert 273029 describes this issue in OpenSSL (openssl(5)) libraries provided with in Solaris 10 and OpenSolaris.

  • Network Security Services (NSS):
    Sun Alert 273350 describes the issue in NSS libraries provided with Solaris and Sun Java Enterprise System.

  • Sun Java Enterprise System Suite
    Sun Alert 274990 describes the issue in Sun Java System Web Server 6.1, 7.0, Sun Java System Web Proxy Server 4.0, Sun Java System Application Server Enterprise Edition and Sun GlassFish Enterprise Server v2.1. This article explains the issue in Sun Java System Web Server and provides workarounds and mitigation.

Wednesday Dec 02, 2009

Solaris 10 Security Essentials by Sun Microsystems Security Engineers published in Paperback

Prentice Hall has published the book Solaris 10 Security Essentials which describes the various security technologies contained in the Solaris operating system. This is now available at Amazon.com or Safari

"Solaris™ 10 Security Essentials describes the various security technologies contained in the Solaris operating system. The book describes how to make installations secure and how to configure the OS to the particular needs of your environment, whether your systems are on the edge of the Internet or running a data center. The authors present the material in a straightforward way that makes a seemingly arcane subject accessible to system administrators at all levels.

"The strengths of the Solaris operating system’s security model are its scalability and its adaptability. It can protect a single user with login authentication or multiple users with Internet and intranet configurations requiring user-rights management, authentication, encryption, IP security, key management, and more. This book is written for users who need to secure their laptops, network administrators who must secure an entire company, and everyone in between."

Authors include Glenn Brunette, Hai-May Chao, Martin Englund, Glenn Faden, Mark Fenwick, Valerie Anne Fenwick, Wyllys Ingersoll, Wolfgang Ley, Darren Moffat, Pravas Kumar Panda, Jan Pechanec, Mark Phalan, Darren Reed, Scott Rotondo, Christoph Schuba, Sharon Read Veach, Joep Vesseur, and Paul Wernau.

Solaris 10 Security Essentials; Sun Microsystems Security Engineers; Prentice Hall PTR; November 23, 2009; ISBN 978-0137012336

Thursday Oct 29, 2009

Advance notification of Security Updates for Java SE

On November 3, 2009, Sun will release the following security updates:
  • JDK and JRE 6 Update 17
  • JDK and JRE 5.0 Update 22
  • SDK and JRE 1.4.2_24
  • SDK and JRE 1.3.1_27
The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

Friday Jul 31, 2009

Advance notification of Security Updates for Java SE

On August 4, 2009, Sun will release the following security updates:
  • JDK and JRE 6 Update 15
  • JDK and JRE 5.0 Update 20
  • SDK and JRE 1.4.2_22
  • SDK and JRE 1.3.1_26
The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

Tuesday Jul 14, 2009

US-CERT Vulnerability Note VU#466161 - XML signature HMAC truncation authentication bypass

US-CERT Vulnerability Note VU#466161 describes a security vulnerability with verifying HMAC-based XML digital signatures.

The XML Digital Signature implementation included with the Java Runtime Environment is affected and may allow authentication to be bypassed. Applications that validate HMAC-based XML digital signatures may be vulnerable to this type of attack. This vulnerability cannot be exploited by an untrusted applet or Java Web Start application.

This issue can occur in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux:
  • JDK and JRE 6 Update 14 and earlier
Note: JDK and JRE 5.0, and SDK and JRE 1.4.2 and 1.3.1 are not affected.

This issue will be addressed with our upcoming Java SE security updates which are targeted to be released in late July 2009.

About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today