CVE-2006-3127
CVSS7.8
发布时间 :2006-06-21 19:02:00
修订时间 :2011-03-07 00:00:00
NMCOS    

[原文]Memory leak in Network Security Services (NSS) 3.11, as used in Sun Java Enterprise System 2003Q4 through 2005Q1 and Java System Directory Server 5.2, allows remote attackers to cause a denial of service (memory consumption) by performing a large number of RSA cryptographic operations.


[CNNVD]Sun Java Enterprise System/Java System 目录服务器 网络安全服务库 内存泄露漏洞(CNNVD-200606-394)

        网络安全服务(NSS)是一组函数库,可跨平台提供SSL、S/MIME和其他Internet安全标准支持。
        Sun Java Enterprise System和Java System目录服务器中所使用的NSS中存在内存泄露漏洞,如果远程攻击者执行了大量RSA加密操作的话,就会耗尽大量系统内存,导致拒绝服务。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/a:sun:java_enterprise_system:2005q1
cpe:/a:sun:java_enterprise_system:2003q4
cpe:/a:sun:java_system_directory_server:5.2Sun Java System Directory Server 5.2
cpe:/a:sun:java_enterprise_system:2004q2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3127
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3127
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-394
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2007/1573
(VENDOR_ADVISORY)  VUPEN  ADV-2007-1573
http://www.securityfocus.com/bid/20846
(UNKNOWN)  BID  20846
http://www.securityfocus.com/bid/18604
(UNKNOWN)  BID  18604
http://www.redhat.com/archives/fedora-package-announce/2006-June/msg00155.html
(UNKNOWN)  FEDORA  FEDORA-2006-728
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102896-1
(UNKNOWN)  SUNALERT  102896
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102461-1
(VENDOR_ADVISORY)  SUNALERT  102461
http://securitytracker.com/id?1016294
(UNKNOWN)  SECTRACK  1016294
http://secunia.com/advisories/25048
(VENDOR_ADVISORY)  SECUNIA  25048

- 漏洞信息

Sun Java Enterprise System/Java System 目录服务器 网络安全服务库 内存泄露漏洞
高危 设计错误
2006-06-21 00:00:00 2007-08-13 00:00:00
远程  
        网络安全服务(NSS)是一组函数库,可跨平台提供SSL、S/MIME和其他Internet安全标准支持。
        Sun Java Enterprise System和Java System目录服务器中所使用的NSS中存在内存泄露漏洞,如果远程攻击者执行了大量RSA加密操作的话,就会耗尽大量系统内存,导致拒绝服务。

- 公告与补丁

        "临时解决方法:
        * 使用以下命令重启LDAP服务进程:
        在UNIX系统上(通常以root用户):
        # /start-slapd
        在Windows系统上,打开"服务"面板然后手动启动服务。
        厂商补丁:
        Sun Java Enterprise System 2004Q2
        Sun 121656-09
        Sun Java Enterprise System (for linux)
        http://sunsolve.sun.com/search/pdownload.pl?target=121656-09&method=fs
        Sun Java Enterprise System 2005Q1
        Sun 121656-09
        Sun Java Enterprise System (for linux)
        http://sunsolve.sun.com/search/pdownload.pl?target=121656-09&method=fs
        Sun Java Enterprise System 2003Q4
        Sun 121656-09
        Sun Java Enterprise System (for linux)
        http://sunsolve.sun.com/search/pdownload.pl?target=121656-09&method=fs
        

- 漏洞信息

27621
Network Security Services (NSS) RSA Cryptographic Operation Saturation DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-19 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mozilla Network Security Services Library Remote Denial of Service Vulnerability
Design Error 18604
Yes No
2006-06-22 12:00:00 2012-01-11 05:00:00
The original discoverer of this issue is currently unknown. This issue was disclosed in the referenced Sun alert.

- 受影响的程序版本

Sun ONE Application Server 7.0 UR2 Upgrade Standard
Sun ONE Application Server 7.0 UR2 Upgrade Platform
Sun ONE Application Server 7.0 UR2 Standard Edition
Sun ONE Application Server 7.0 UR2 Platform Edition
Sun ONE Application Server 7.0 UR1 Standard Edition
Sun ONE Application Server 7.0 UR1 Platform Edition
Sun ONE Application Server 7.0 Standard Edition
Sun ONE Application Server 7.0 Platform Edition
Sun Java System Web Server 6.0 SP9
Sun Java System Web Server 6.0 SP8
Sun Java System Web Server 6.0 SP7
Sun Java System Web Server 6.0 SP6
Sun Java System Web Server 6.0 SP5
Sun Java System Web Server 6.0 SP4
Sun Java System Web Server 6.0 SP3
Sun Java System Web Server 6.0 SP2
Sun Java System Web Server 6.0 SP1
Sun Java System Web Server 6.0
Sun Java System Directory Server 5.2 Patch4
Sun Java System Directory Server 5.2 Patch3
Sun Java System Directory Server 5.2 Patch2
Sun Java System Directory Server 5.2
Sun Java Enterprise System 2005Q1
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
+ Sun Solaris 10.0_x86
+ Sun Solaris 10
Sun Java Enterprise System 2004Q2
+ Sun Solaris 9
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
Sun Java Enterprise System 2003Q4
+ Sun Solaris 9
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
Netscape Browser 8.1
Mozilla Thunderbird 1.5.0.4
Mozilla Network Security Services (NSS) 3.11
Mozilla Firefox 1.5.0.4
Mozilla Browser 1.7.13
K-Meleon K-Meleon 0.9.13
Blue Coat Systems Policy Center 8.7
Blue Coat Systems Policy Center 8.6
Blue Coat Systems Policy Center 0
AOL Instant Messenger 5.9.3861 .0
Sun ONE Application Server 7.0 Update 3
Sun Java System Web Server 6.0 SP10
Blue Coat Systems Policy Center 8.7.2

- 不受影响的程序版本

Sun ONE Application Server 7.0 Update 3
Sun Java System Web Server 6.0 SP10
Blue Coat Systems Policy Center 8.7.2

- 漏洞讨论

NSS is susceptible to a remote denial-of-service vulnerability. This issue is due to a memory leak in the library.

This issue allows remote attackers to consume excessive memory resources on affected computers. This may lead to computer hangs or panics, denying service to legitimate users.

NSS version 3.11 is affected by this issue.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

Please see the referenced advisories for more information.


Sun Java Enterprise System 2004Q2

Sun Java Enterprise System 2005Q1

Sun Java Enterprise System 2003Q4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站