[cisco-ttl] Cisco Security Response: Vulnerability in Java Secure Socket

From: Cisco Systems Product Security Incident Response Team <psirt_at_....>
Date: Wed, 25 Jul 2007 11:35:14 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Vulnerability in Java Secure Socket Extension

http://www.cisco.com/warp/public/707/cisco-sr-20070725-jsse.shtml

Revision 1.0

For Public Release 2007 July 25 1600 UTC (GMT)

+--------------------------------------------------------------------
Cisco Response


This is the Cisco PSIRT response to the vulnerability in Java Secure Socket Extension (JSSE) disclosed by Sun Microsystems on July 10, 2007, the details of which are available at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1.

There are no workarounds available for this vulnerability. Cisco recommends that customers update all vulnerable applications and components to provide the greatest protection from the listed vulnerability. Cisco will update this document in the event of any changes.

Additional Information


Some versions of Sun JSSE do not properly handle certain Transport Layer Security (TLS) or Secure Sockets Layer (SSL) handshake requests. A device running an affected JSSE version will experience excessive CPU usage, which may affect normal device operation and result in a denial of service (DoS) condition.

Sun has provided a comprehensive list of affected JSSE versions at the previously listed URL. Please refer to the Sun Alert Notification for details.

Products Affected by the JSSE Vulnerability
+------------------------------------------

Note: The following list is subject to change. Cisco is continuing to review the potential impact of this vulnerability on its products; this list may be updated to include additional Cisco products that are affected by this vulnerability.

The following products are affected by the Sun JSSE issue listed in this Security Response:

Workarounds
+----------

There is no workaround for this issue, but mitigation is possible.

Cisco Unified CallManager and Cisco Unified Presence customers are advised to restrict access to the administrative interface to the IP addresses of known management stations. Information on how to implement such access restrictions is available at the following link:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008085f858.html

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History


+-----------------------------------------------------------+
| Revision 1.0 | 2007-July-25 | Initial public release |
+-----------------------------------------------------------+

Cisco Security Procedures


Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
All contents are Copyright (C) 2006-2007 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Jul 25, 2007                              Document ID: 97830


+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGp29J8NUAbBmDaxQRAquxAJ9DAvYwVb4G11mf5+xVsQ1ZcG55hQCfUwhX Ote8IEVStps8zvcXmh/qZZU=
=WCDS
-----END PGP SIGNATURE-----



cust-security-announce mailing list
cust-security-announce_at_cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave_at_cisco.com Received on Sun Jul 29 2007 - 13:32:31 CEST

This archive was generated by hypermail 2.2.0 : Sun Jul 29 2007 - 13:33:08 CEST