发布日期：2003-02-06
更新日期：2003-02-11

受影响系统：

Sun JRE (Linux Production Release) 1.4.1
Sun JRE (Linux Production Release) 1.4.0_02
Sun JRE (Linux Production Release) 1.4
Sun JRE (Linux Production Release) 1.3.1_05
Sun JRE (Linux Production Release) 1.3.1_03
Sun JRE (Linux Production Release) 1.3.1_01
Sun JRE (Linux Production Release) 1.3.1
Sun JRE (Linux Production Release) 1.3.0_05
Sun JRE (Linux Production Release) 1.3.0_02
Sun JRE (Solaris Production Release) 1.4.1
Sun JRE (Solaris Production Release) 1.4
Sun JRE (Solaris Production Release) 1.3_05
Sun JRE (Solaris Production Release) 1.3.1_05
Sun JRE (Solaris Production Release) 1.3.1_03
Sun JRE (Solaris Production Release) 1.3.1_01
Sun JRE (Solaris Production Release) 1.3.0_02
Sun JRE (Solaris Production Release) 1.3
Sun JRE (Windows Production Release) 1.4.1
Sun JRE (Windows Production Release) 1.4
Sun JRE (Windows Production Release) 1.3_05
Sun JRE (Windows Production Release) 1.3.1_05
Sun JRE (Windows Production Release) 1.3.1_03
Sun JRE (Windows Production Release) 1.3.1_01a
Sun JRE (Windows Production Release) 1.3.0_02
Sun JRE (Windows Production Release) 1.3
Sun SDK (Linux Production Release) 1.4.1
Sun SDK (Linux Production Release) 1.4.0_02
Sun SDK (Linux Production Release) 1.4
Sun SDK (Linux Production Release) 1.3_05
Sun SDK (Linux Production Release) 1.3.1_05
Sun SDK (Linux Production Release) 1.3.1_03
Sun SDK (Linux Production Release) 1.3.1_01
Sun SDK (Linux Production Release) 1.3.0_02
Sun SDK (Solaris Production Release) 1.4.1
Sun SDK (Solaris Production Release) 1.4.0_02
Sun SDK (Solaris Production Release) 1.4
Sun SDK (Solaris Production Release) 1.3_05
Sun SDK (Solaris Production Release) 1.3.1_05
Sun SDK (Solaris Production Release) 1.3.1_03
Sun SDK (Solaris Production Release) 1.3.1_01
Sun SDK (Solaris Production Release) 1.3.0_02
Sun SDK (Solaris Production Release) 1.3
Sun SDK (Windows Production Release) 1.4.1
Sun SDK (Windows Production Release) 1.4.0_02
Sun SDK (Windows Production Release) 1.4
Sun SDK (Windows Production Release) 1.3_05
Sun SDK (Windows Production Release) 1.3.1_05
Sun SDK (Windows Production Release) 1.3.1_03
Sun SDK (Windows Production Release) 1.3.1_01a
Sun SDK (Windows Production Release) 1.3.0_02
Sun Java Web Start 1.2
Sun Java Web Start 1.0.1_02
Sun Java Web Start 1.0.1_01
Sun Java Web Start 1.0.1
Sun Java Web Start 1.0
Jetty Jetty 4.2.6
Jetty Jetty 4.2.5
Jetty Jetty 4.2.4
Sun JSSE 1.0.3

不受影响系统：

Sun JRE (Linux Production Release) 1.4.1_01
Sun JRE (Linux Production Release) 1.4.0_03
Sun JRE (Linux Production Release) 1.3.1_06
Sun JRE (Solaris Production Release) 1.4.1_01
Sun JRE (Solaris Production Release) 1.4.0_03
Sun JRE (Solaris Production Release) 1.3.1_06
Sun JRE (Windows Production Release) 1.4.1_01
Sun JRE (Windows Production Release) 1.4.0_03
Sun JRE (Windows Production Release) 1.3.1_06
Sun SDK (Linux Production Release) 1.4.1_01
Sun SDK (Linux Production Release) 1.4.0_03
Sun SDK (Linux Production Release) 1.3.1_06
Sun SDK (Solaris Production Release) 1.4.1_01
Sun SDK (Solaris Production Release) 1.4.0_03
Sun SDK (Solaris Production Release) 1.3.1_06
Sun SDK (Windows Production Release) 1.4.1_01
Sun SDK (Windows Production Release) 1.4.0_03
Sun SDK (Windows Production Release) 1.3.1_06
Jetty Jetty 4.2.7
Sun JSSE 1.0.3_01

描述：

---

BUGTRAQ  ID: 6682
CVE(CAN) ID: CVE-2003-1229

Java Secure Socket Extension (JSSE)是SUN公司开发和维护的JAVA安全套接口扩展实现。

Java Secure Socket Extension不正确验证WEB站点证书，远程攻击者可以利用这个漏洞使恶意不可信WEB站点成功通过SSL事务验证。

如果'SSLContext'使用X509TrustManager实现的实例来初始化(SSLContext.init()))的情况下，JSSE 1.0.3不正确调用isClientTrusted()方法可导致不正确验证WEB站点的数字证书，可导致不可信站点成功通过SSL事务验证。Java Plug-in和Java Web Start不正确验证签字了的JAR文件数据证书，可导致不可信代码作为可信代码执行。

<*来源：Alex Loots （a.loots@itsec-ss.nl）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=104376196615008&w=2
        http://archives.neohapsis.com/archives/hp/2003-q1/0018.html
        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50081
*>

建议：

---

厂商补丁：

Sun
---
Sun已经为此发布了一个安全公告（Sun-Alert-50081）以及相应补丁:
Sun-Alert-50081：Incorrect Certificate Validation in Java Secure Socket Extension (JSSE), Java Plug-In and Java Web Start
链接：http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50081

建议用户升级到最新SDK和JRE版本，下面是修正版本列表：

JSSE in SDK and JRE 1.4.0_02 or later 1.4.0 releases
JSSE 1.0.3_01
Java Plug-in in SDK and JRE 1.4.1_01 or later 1.4.1 releases
Java Plug-in in SDK and JRE 1.4.0_03 or later 1.4.0 releases
Java Plug-in in SDK and JRE 1.3.1_06 or later 1.3.1 releases
Java Web Start in SDK and JRE 1.4.1_01 or later 1.4.1 releases

    
Sun Java Web Start 1.0:
Sun Java Web Start 1.0.1 _02:
Sun Java Web Start 1.0.1 _01:
Sun Java Web Start 1.0.1:
Sun JSSE 1.0.3:
      Sun Upgrade JSSE 1.0.3_01
      http://java.sun.com/products/jsse/index-103.html

Jetty
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

Jetty Upgrade Jetty-4.2.7-src.tgz
http://prdownloads.sourceforge.net/jetty/Jetty-4.2.7-src.tgz?download

浏览次数：5338
严重程度：0（网友投票）