PT-2003-2174 · Oracle · Java Plug-In+4
Published
2003-12-31
·
Updated
2024-02-09
·
CVE-2003-1229
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Java Secure Socket Extension (JSSE) in SDK and JRE versions 1.4.0 through 1.4.0 01
JSSE versions prior to 1.0.3
Java Plug-in SDK and JRE versions 1.3.0 through 1.4.1
Java Web Start versions 1.0 through 1.2
Description
The X509TrustManager in the affected software incorrectly calls the
isClientTrusted method when determining server trust. This results in improper validation of digital certificates, allowing remote attackers to falsely authenticate peers for SSL or incorrectly validate signed JAR files.Recommendations
For Java Secure Socket Extension (JSSE) in SDK and JRE versions 1.4.0 through 1.4.0 01, update to a version outside of this range to resolve the issue.
For JSSE versions prior to 1.0.3, update to version 1.0.3 or later.
For Java Plug-in SDK and JRE versions 1.3.0 through 1.4.1, update to a version outside of this range.
For Java Web Start versions 1.0 through 1.2, update to a version later than 1.2.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jre
Jsse
Java Plug-In
Java Web Start
Sdk