|
|
[cisco-ttl] Cisco Security Response: Vulnerability in Java Secure Socket
From: Cisco Systems Product Security Incident Response Team <psirt_at_....>
Date: Wed, 25 Jul 2007 11:35:14 -0400
Cisco Security Response: Vulnerability in Java Secure Socket Extension http://www.cisco.com/warp/public/707/cisco-sr-20070725-jsse.shtml Revision 1.0 For Public Release 2007 July 25 1600 UTC (GMT)
+-------------------------------------------------------------------- This is the Cisco PSIRT response to the vulnerability in Java Secure Socket Extension (JSSE) disclosed by Sun Microsystems on July 10, 2007, the details of which are available at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1. There are no workarounds available for this vulnerability. Cisco recommends that customers update all vulnerable applications and components to provide the greatest protection from the listed vulnerability. Cisco will update this document in the event of any changes. Additional Information Some versions of Sun JSSE do not properly handle certain Transport Layer Security (TLS) or Secure Sockets Layer (SSL) handshake requests. A device running an affected JSSE version will experience excessive CPU usage, which may affect normal device operation and result in a denial of service (DoS) condition. Sun has provided a comprehensive list of affected JSSE versions at the previously listed URL. Please refer to the Sun Alert Notification for details.
Products Affected by the JSSE Vulnerability
Note: The following list is subject to change. Cisco is continuing to review the potential impact of this vulnerability on its products; this list may be updated to include additional Cisco products that are affected by this vulnerability. The following products are affected by the Sun JSSE issue listed in this Security Response:
Workarounds
There is no workaround for this issue, but mitigation is possible. Cisco Unified CallManager and Cisco Unified Presence customers are advised to restrict access to the administrative interface to the IP addresses of known management stations. Information on how to implement such access restrictions is available at the following link: THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History
+-----------------------------------------------------------+ Cisco Security Procedures
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
+-------------------------------------------------------------------- Updated: Jul 25, 2007 Document ID: 97830-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGp29J8NUAbBmDaxQRAquxAJ9DAvYwVb4G11mf5+xVsQ1ZcG55hQCfUwhX
Ote8IEVStps8zvcXmh/qZZU=
cust-security-announce mailing list cust-security-announce_at_cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave_at_cisco.com Received on Sun Jul 29 2007 - 13:32:31 CEST This archive was generated by hypermail 2.2.0 : Sun Jul 29 2007 - 13:33:08 CEST |