Vulnerability CVE-2003-1229 - CERT Civis.Net

Vulnerability Name:

CVE-2003-1229 (CCN-11182)

Assigned:

2003-01-23

Published:

2003-01-23

Updated:

2022-09-13

Summary:

X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: BUGTRAQ
Type: Broken Link
20030128 Incorrect Certificate Validation in Java Secure Socket Extension

Source: CCN
Type: BugTraq Mailing List, Tue Jan 28 2003 - 02:04:29 CST
Incorrect Certificate Validation in Java Secure Socket Extension

Source: MITRE
Type: CNA
CVE-2003-1229

Source: CONFIRM
Type: Vendor Advisory
http://java.sun.com/products/jsse/CHANGES.txt

Source: CCN
Type: SA7943
Java fails to validate certificates

Source: SECUNIA
Type: Broken Link, Patch, Vendor Advisory
7943

Source: CCN
Type: SECTRACK ID: 1006001
Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities

Source: CCN
Type: SECTRACK ID: 1006007
(HP Issues Fix) Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1006007

Source: CCN
Type: SECTRACK ID: 1007483
(HP Issues Fix for Virtualvault) Sun Java Secure Socket Extension (JSSE) May Incorrectly Authenticate Invalid Entities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1007483

Source: CCN
Type: Sun Alert ID: 50081
Incorrect Certificate Validation in Java Secure Socket Extension (JSSE), Java Plug-In and Java Web Start

Source: SUNALERT
Type: Patch, Vendor Advisory
50081

Source: CCN
Type: OSVDB ID: 19786
Multiple Java Package X509TrustManager isClientTrusted Method Trust Failure

Source: BID
Type: Patch, Third Party Advisory, VDB Entry
6682

Source: CCN
Type: BID-6682
Sun JSSE/Java Plug-In/Java Web Start Incorrect Certificate Validation Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1006001

Source: HP
Type: Broken Link
HPSBUX0301-239

Source: XF
Type: Third Party Advisory, VDB Entry
sun-java-improper-validation(11182)

Source: XF
Type: UNKNOWN
sun-java-improper-validation(11182)

Source: OVAL
Type: Broken Link
oval:org.mitre.oval:def:5883

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:jre:1.4.0_02:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1_03:*:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4.0_02:*:windows:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0:*:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_01:*:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.0_05:*:windows:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.1:*:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.0_02:*:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_03:*:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4:*:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_03:*:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.4:*:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_05:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1_05:*:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4.1:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.4:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1:update1a:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_03:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:*:windows:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1_03:*:solaris:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.2:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.0_02:*:windows:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1:update1:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.1:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update5:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_05:*:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4.0_02:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update2:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3_05:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.0_05:*:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_01a:*:windows:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3_02:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1:*:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1:update1:linux:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0.1_02:*:*:*:*:*:*:*

OR cpe:/a:sun:jsse:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_05:*:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4.1:*:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.0_02:*:linux:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4.1:*:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update5:windows:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update2:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update5:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1_05:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jre:1.4:*:windows:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update1:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update2:windows:*:*:*:*:*

OR cpe:/a:sun:jdk:1.3.1_01:*:solaris:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4:*:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1_03:*:linux:*:*:*:*:*

OR cpe:/a:sun:jdk:1.4.0_02:*:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1_05:*:windows:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0.1_01:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.0_02:*:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.1:*:linux:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sun:jre:1.3.1:-:*:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0.1_01:*:*:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0:*:*:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.0.1_02:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.0:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.0:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.1:-:*:*:*:*:*:*

OR cpe:/a:sun:java_web_start:1.2:*:*:*:*:*:*:*

OR cpe:/a:sun:jsse:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.0:update5:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1:update1:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.3.1:update1a:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.3.0:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.3.1_01:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.3.1_01a:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.3.1_05:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.0_02:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.3.0_05:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.3.0_02:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.3.1_03:*:*:*:*:*:*:*

AND

cpe:/o:hp:hp-ux:11.00:*:*:*:*:*:*:*

OR cpe:/o:hp:hp-ux:11.04:*:*:*:*:*:*:*

OR cpe:/o:hp:hp-ux:11.11:*:*:*:*:*:*:*

OR cpe:/o:hp:hp-ux:11.22:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:5883	V	Potential Sec. Vulnerability in Java VM, JSSE, Plug-in, and Webstart. (rev.1)	2008-12-08