Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Incorrect Certificate Validation in Java Secure Socket Extension
From: Alex Loots <a.loots () itsec-ss nl>
Date: Tue, 28 Jan 2003 09:04:29 +0100
According to SUN it has been reported that: "the Java Secure Socket
Extension (JSSE) may incorrectly validate the digital certificate of a
web site. This may result in untrustworthy web sites being
authenticated for SSL transactions. The Java Plug-in and Java Web Start
may incorrectly validate the digital certificates of signed JAR files.
This may result in untrustworthy code being executed as trusted code." 


From the JSSE changelog: "If an SSLContext was initialized

(SSLContext.init()) with an instance of the X509TrustManager
implementation, JSSE 1.0.3 incorrectly called the isClientTrusted()
method when making server trust decisions." 

The SUN bulletin:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081&zone_32=category%3Asecurity

The changelog Java(tm) Secure Socket Extension 1.0.3_01 mentions this
vulnerability
http://java.sun.com/products/jsse/CHANGES.txt


-- 
-Alex

  By Date           By Thread  

Current thread:
  • Incorrect Certificate Validation in Java Secure Socket Extension Alex Loots (Jan 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]