Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0016 BEAST SSL/TLS vulnerability identified in Oracle GlassFish Enterprirse Server and Sun Java System Application Server 3 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle GlassFish Enterprise Server 2.1.1 Sun Java System Application Server 8.1 Sun Java System Application Server 8.2 Operating System: Windows AIX Linux variants Solaris Impact/Access: Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-3389 Member content until: Sunday, March 4 2012 Reference: ASB-2012.0003 ASB-2011.0092 ESB-2011.0979 OVERVIEW A vulnerability has been identified in Oracle GlassFish Enterprise Server 2.1.1 and Sun Java System Application Server 8.1 and 8.2. [1] IMPACT The vulnerability known as the "BEAST" attack, exists in the SSL/TLS implementation of these products and "... allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen- boundary attack (BCBA)on an HTTPS session...." [2] MITIGATION Fixes are available from Oracle to correct these issues. [1] REFERENCES [1] CVE-2011-3389 Chosen-plaintext attack against SSL/TLS in GlassFish http://blogs.oracle.com/sunsecurity/entry/cve_2011_3389_chosen_plaintext2 [2] Vulnerability Summary for CVE-2011-3389 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTytjhO4yVqjM2NGpAQKMjBAApRYFrccTphFVgb+/3+qPkUga/L4MjtNv 47jJ/pUKQnBNBgIK3snmwvvAn8ng04nw1mdmKjWJmYOa0wAzdG0U4Ctks8uaNTQ+ nxxtiBuWOJpQICI2miDgmH4vdOs/fjfGesCXyryzSlIcS9fvixcVZYUeNE/ZFg1Z xEJEr7hHyhZzgx1PlZ2egdD9YrhihJRJgfGBZVChorRleCUIFrF++NSq++UrvuGc oE/RydtZQHpHVfoAxRU/7s07oZMfJt3tZOtYIwMRPxOUWDb95dtihFXlKSl74hTR fM7y9xhLDsSh1Kirg6Vt4T14yqMm1VXbn5fZLwlDL5Tb5jQl+x5m4K9OPovvu4ES 9RGXPIf0uh1owKEgMcnp07MTEByJxkmfNgsT7QQwr7FIvrukMoIk0t0VPQq/7MSU S4MDcqmz0VZ4+fGtq3XRJtDgMvnKKFA/raM+eAqMVsajl3AMc2lEU7U8zqtuZyAY XryDtlV4iQ2zI3OSnvZ4W03oyJ7Bv5e8moTsXEwr4WKwH+a3Q9Ep5RZKyGdDonuH 7xkzGmLHMB0jX/mqvu0igg0Xm2aDS9+5Aw8pUsiDv3r2Ek7GVB4hrHjO+KSAC+IR pZFeYsb6/2YmXbYb7anrzgr1hX8DU9WumQ8On9Y9c6LIxFL/reov0dlN0slUx+Ag ZaSSKW2NdQE= =gNNV -----END PGP SIGNATURE-----