ID CVE-2003-1229
Summary X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.
References
Vulnerable Configurations
  • cpe:2.3:a:sun:java_web_start:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:sun:java_web_start:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:java_web_start:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:sun:java_web_start:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:java_web_start:1.0.1_01:*:*:*:*:*:*:*
    cpe:2.3:a:sun:java_web_start:1.0.1_01:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:java_web_start:1.0.1_02:*:*:*:*:*:*:*
    cpe:2.3:a:sun:java_web_start:1.0.1_02:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:java_web_start:1.2:*:*:*:*:*:*:*
    cpe:2.3:a:sun:java_web_start:1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.0_02:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.0_02:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.0_02:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.0_02:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.0_05:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.0_05:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.0_05:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.0_05:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_01:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_01:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_01:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_01:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_01a:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_01a:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_03:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_03:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_03:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_03:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_03:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_03:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_05:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_05:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_05:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_05:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3.1_05:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3.1_05:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3_02:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3_02:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.3_05:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.3_05:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4.0_02:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4.0_02:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4.0_02:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4.0_02:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4.0_02:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4.0_02:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4.1:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4.1:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4.1:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4.1:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.4.1:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.4.1:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update1:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update1:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update2:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update2:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update2:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update2:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update2:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update2:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update5:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update5:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update5:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update5:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update5:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update5:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1:update1:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1:update1:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1:update1:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1:update1:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1:update1a:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1:update1a:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1_03:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1_03:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1_03:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1_03:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1_03:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1_03:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1_05:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1_05:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1_05:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1_05:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1_05:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1_05:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.0_02:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.0_02:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.0_02:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.0_02:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.0_02:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.0_02:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.1:*:linux:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.1:*:linux:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.1:*:solaris:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.1:*:solaris:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.1:*:windows:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.1:*:windows:*:*:*:*:*
  • cpe:2.3:a:sun:jsse:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:sun:jsse:1.0.3:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
accepted 2008-12-08T04:01:01.013-05:00
class vulnerability
contributors
name Michael Wood
organization Hewlett-Packard
description X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.
family unix
id oval:org.mitre.oval:def:5883
status accepted
submitted 2008-10-30T17:10:24.000-04:00
title and Webstart. (rev.1)
version 31
refmap via4
bid 6682
bugtraq 20030128 Incorrect Certificate Validation in Java Secure Socket Extension
confirm http://java.sun.com/products/jsse/CHANGES.txt
hp HPSBUX0301-239
sectrack
  • 1006001
  • 1006007
  • 1007483
secunia 7943
sunalert 50081
xf sun-java-improper-validation(11182)
Last major update 11-10-2017 - 01:29
Published 31-12-2003 - 05:00
Back to Top