RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2010:0155)

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated java-1.4.2-ibm packages that fix one security issue and a bug
are now available for Red Hat Enterprise Linux 3 Extras, Red Hat
Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5
Supplementary.

The Red Hat Security Response Team has rated this update as having
moderate security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from
the CVE link in the References section.

The IBM 1.4.2 SR13-FP4 Java release includes the IBM Java 2 Runtime
Environment and the IBM Java 2 Software Development Kit.

A flaw was found in the way the TLS/SSL (Transport Layer
Security/Secure Sockets Layer) protocols handle session renegotiation.
A man-in-the-middle attacker could use this flaw to prefix arbitrary
plain text to a client's session (for example, an HTTPS connection to
a website). This could force the server to process an attacker's
request as if authenticated using the victim's credentials.
(CVE-2009-3555)

This update disables renegotiation in the non-default IBM JSSE2
provider for the Java Secure Socket Extension (JSSE) component. The
default JSSE provider is not updated with this fix. Refer to the
IBMJSSE2 Provider Reference Guide, linked to in the References, for
instructions on how to configure the IBM Java 2 Runtime Environment to
use the JSSE2 provider by default.

When using the JSSE2 provider, unsafe renegotiation can be re-enabled
using the com.ibm.jsse2.renegotiate property. Refer to the following
Knowledgebase article for details:
http://kbase.redhat.com/faq/docs/DOC-20491

This update also fixes the following bug :

* the libjaasauth.so file was missing from the java-1.4.2-ibm packages
for the Intel Itanium architecture (.ia64.rpm). This update adds the
file to the packages for the Itanium architecture, which resolves this
issue. (BZ#572577)

All users of java-1.4.2-ibm are advised to upgrade to these updated
packages, which contain the IBM 1.4.2 SR13-FP4 Java release. All
running instances of IBM Java must be restarted for this update to
take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2009-3555.html
http://kbase.redhat.com/faq/docs/DOC-20491
http://www.nessus.org/u?72d9bed8
http://rhn.redhat.com/errata/RHSA-2010-0155.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 46272 ()

Bugtraq ID: 36935

CVE ID: CVE-2009-3555