From da@securityfocus.com Mon May 27 09:16:16 2002 From: Dave Ahmad To: bugtraq@securityfocus.com Date: Tue, 14 May 2002 19:49:44 -0600 (MDT) Subject: (SSRT0822) Security Bulletin - Compaq & Java Proxy/VM Potential Security Vulnerabilities (fwd) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SECURITY BULLETIN TITLE: (SSRT0822) Java(tm) Runtime Environment - Proxy and JVM Potential Security Vulnerabilities NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. Posted at: http://www.support.compaq.com/patches/mailing-list.shtml RELEASE DATE: May 2002 SEVERITY: HIGH SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team REFERENCE: SUN Bulletin #00216 & #00218, CVE CAN-2002-0058 , CVE CAN-2002-0076 ________________ PROBLEM SUMMARY: When using Microsoft Internet Explorer or NetScape Navigator to browse to Compaq products incorporating affected versions of the Java Runtime Environment, users may become vulnerable to attack from untrusted applets. These applets may be able to increase their privileges on the user system and potentially gain un- authorized access to system resources. This potential problem would exist on either side of a corporate firewall. Sun Microsystems published two security bulletins regarding potential vulnerabilities in Java(tm). o The first is a security bulletin (#00216) regarding a potential runtime environmental redirection issue that may allow an untrusted applet to monitor requests to and responses from an HTTP proxy server when a persistent connection is used between a client and an HTTP proxy server. NOTE: Only systems that have a HTTP proxy configured would be vulnerable to this potential exploit. o The second is a security bulletin (#00218) regarding a potential vulnerability to attack of the Java Runtime Environment Bytecode Verifier. The security advisory states, "A vulnerability in the Java(TM) Runtime Environment Bytecode Verifier may be exploited by an untrusted applet to escalate privileges." __________________ VERSIONS IMPACTED: Compaq Management Software Compaq Insight Manager 7, Compaq Insight Manager XE, the Compaq Management Agents and the Remote Insight Lights-Out Edition Card leverage Java technology to deliver portions of their functionality. The Java software causing this problem is delivered as part of the Java Runtime Environment used to enable access to these management products and as part of the server-side software embedded in Compaq Insight Manager XE and Compaq Insight Manager 7. o Compaq Insight Manager XE Compaq Insight Manager XE uses the Microsoft Java Runtime Environment integrated into Microsoft Internet Explorer.=3D3D20 o Compaq Insight Manager 7 Compaq Insight Manager 7 uses the Sun Java Runtime Environment version 1.3.1 in place of the Microsoft Java Runtime Environment. o Compaq Management Agents See resolution Section o Remote Insight Lights-Out Edition See resolution Section Compaq Tru64 UNIX V4.0f SDK and JRE 1.1.7B-2 V4.0g SDK and JRE 1.1.7B-2 V5.0a SDK and JRE 1.1.7B-6 V5.1 SDK and JRE 1.1.8-6 (default) and 1.2.2-6 Compaq Nonstop Himalaya No applets run on the Compaq NonStop Himalaya operating systems. This is not a vulnerability on these systems. Compaq OpenVMS V7.2 V7.2-1 SDK and JRE 1.1.6-2 V7.2-1h1 SDK and JRE 1.1.6-2 V7.2-1h2 SDK and JRE 1.1.6-2 V7.2-2 SDK and JRE 1.1.6-2 V7.3 SDK and JRE 1.1.8-5 (includes fix) *Please note that this is an issue for the Alpha architecture only. OpenVMS on Vax does not support Java. ___________ RESOLUTION: The following table outlines the suggested resolutions to the vulnerabilities described above. Suggested remedies will be different on a product-by-product depending on developer of the Java Runtime Environment and any dependencies for synchronization between server and client side components. Compaq Insight Manager XE Compaq Insight Manager XE uses the Microsoft Java Runtime Environment integrated into Microsoft Internet Explorer. Compaq recommends that Compaq Insight Manager XE users upgrade to Compaq Insight Manager 7 SP1 that will be available for download in the first half of May at http://www.compaq.com/manage. Compaq Insight Manager 7 SP1 leverages version 1.3.1_02 of the Sun Java Runtime Environment that addresses the vulnerability described above. Prior to the release of Compaq Insight Manager 7 SP1, Compaq recommends that users exercise care when browsing to sites outside of the internal network using a browser with a vulnerable version of the Microsoft Java Runtime Environment. While it is possible to update the browser to the version of the Java Runtime Environment recommended by Microsoft, this version has not been tested with Compaq Insight Manager XE and Compaq cannot guarantee that Insight Manager XE will function properly. Compaq Insight Manager 7 Compaq Insight Manager 7 uses the Sun Java Runtime Environment version 1.3.1 in place of the Microsoft Java Runtime Environment. Compaq is in the process of incorporating version 1.3.1_02 of the runtime environment, which fixes the aforementioned vulnerability, into Compaq Insight Manager 7 Service Pack 1. Compaq Insight Manager 7 SP1 will be available at the beginning of May. Users may not use version 1.3.1_02 of the plug-in with the current version of Compaq Insight Manager 7 as newer versions of the Sun Java Runtime Environment are not backwards compatible and the Insight Manager 7 may not function properly if client and server side runtime environments are not of the same version. Compaq recommends that current Compaq Insight Manager 7 users close Microsoft Internet Explorer prior to browsing to untrusted sites outside of the corporate firewall. This will ensure that the Java plug-in is closed prior to browsing to sites on the public Internet. With Compaq Insight Manager 7 SP1, the requirement to close the browser prior to visiting public sites will be removed. Compaq Management Agents Update to the version of the Java Runtime Environment that Microsoft Recommends. This information may be found at http://www.microsoft.com/java/vm/dl_vm40.htm Remote Insight Lights-Out Edition / Integrated Lights-Out on ProLiant DL360 G2 Update to the Java(tm) 2 Runtime Environment, Standard Edition, version 1.3.1_02. To download this software simply click on the hyperlink http://java.sun.com/j2se/1.3/ Compaq TRU64 UNIX Tru64 UNIX - Java 1.1.7B-10 Tru64 UNIX - Java 1.1.8-13 (includes fix) Tru64 UNIX - Java 1.2.2-12 Tru64 UNIX - Java 1.3.0-1 Tru64 UNIX - Java 1.3.1-2 (includes fix) It is critical that the information posted at http://www.compaq.com/java/alpha be reviewed before updating Java. Tru64 UNIX 5.0 and higher include some Java-based tools that depend on the Java environment version that ships with the operating system and is installed in /usr/bin. If you change the default system Java environment version, some operating system tools, such as the SysMan Station, the SysMan Station authentication daemon, and the Logical Storage Manager (LSM) Storage Administrator, will not work correctly. Compaq OpenVMS The following table shows Java versions that are available at http://www.compaq.com/java/alpha and indicates if the version includes the fix: Compaq OpenVMS - Java 1.1.8-5 (includes fix) Compaq OpenVMS - Java 1.2.2-3 Compaq OpenVMS - Java 1.3.0-2 (includes fix) Compaq OpenVMS - Java 1.3.1-2 (includes fix) It is critical that the information posted at http://www.compaq.com/java/alpha be reviewed before updating Java. __________ SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Compaq's Software Security Response Team via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml _______ REPORT: To report a potential security vulnerability with any Compaq supported product, send email mailto:security-ssrt@compaq.com or mailto:sec-alert@compaq.com Compaq appreciates your cooperation and patience. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with our customers to maintain and improve the security and integrity of their systems. "Compaq is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Compaq products the important security information contained in this Bulletin. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin." Copyright 2002 Compaq Information Technologies Group, L.P. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Compaq and the names of Compaq products referenced herein are, either, trademarks and/or service marks or registered trademarks and/or service marks of Compaq Information Technologies Group, L.P. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPOFxFDnTu2ckvbFuEQKjvQCgrIbosO8ILvkzRikR2nit/mzy1k4An3TK aVsSiWVhRI67p1RCnquAtuf2 =VRtm -----END PGP SIGNATURE-----