Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4031
HistoryJan 28, 2003 - 12:00 a.m.

Incorrect Certificate Validation in Java Secure Socket Extension

2003-01-2800:00:00
vulners.com
69
JSON

According to SUN it has been reported that: "the Java Secure Socket
Extension (JSSE) may incorrectly validate the digital certificate of a
web site. This may result in untrustworthy web sites being
authenticated for SSL transactions. The Java Plug-in and Java Web Start
may incorrectly validate the digital certificates of signed JAR files.
This may result in untrustworthy code being executed as trusted code."

>From the JSSE changelog: "If an SSLContext was initialized
(SSLContext.init()) with an instance of the X509TrustManager
implementation, JSSE 1.0.3 incorrectly called the isClientTrusted()
method when making server trust decisions."

The SUN bulletin:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081&zone_32=category%3Asecurity

The changelog Java(tm) Secure Socket Extension 1.0.3_01 mentions this
vulnerability
http://java.sun.com/products/jsse/CHANGES.txt


-Alex

JSON