Eight-month-old TLS renegotiation bug finally patched

Apr 2, 2010 14:48 GMT  ·  By

The 19th update of Java SE version 6 patches 27 remotely exploitable security vulnerabilities affecting the platform. The industry-approved fix for a bug in the widely-used TLS protocol discovered last August was also implemented.

This is the first Java Update since Oracle completed its acquisition of Sun Microsystems back in January and it contains individual releases for Java SE and Java Business JDK (Java Development Kit) and JRE (Java Runtime Environment) version 6. Corresponding updates for JDK version 5 and SDK version 4 are available for paying customers only, as these products have reached their end of life.

Notable changes are the addition of seven new root SSL certificates and replacement of some older ones with new and improved versions, as well as the implementation of a warning dialog for Java Web Start applications that mix signed with unsigned code. The Transport Layer Security (TLS) Renegotiation Indication Extension (RFC 5746) was issued by the Internet Engineering Task Force (IETF) as a response to the renegotiation bug, discovered last August, was also implemented.

The authentication gaps in the TLS session renegotiation procedure were discovered by a software engineer named Marsh Ray, and can be exploited in a man-in-the-middle (MitM) scenario to inject plain text in the session. A practical attack using this technique was demonstrated against Twitter in November by Anil Kurmus, a security researcher from the French Eurecom Institute.

The update addresses a total of 27 remotely exploitable security vulnerabilities, out of which 9 affect the Java Runtime Environment (JRE) and 3 the Java Web Start browser plug-in, the two most widely used Java components. And even though the JRE is not attacked as frequently as other popular software like Adobe Reader or Adobe Flash Player, it is still a target in various Web exploit kits.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU [Critical Patch Update] fixes as soon as possible," the accompanying advisory reads.

Java Runtime Environment (JRE) Version 6 Update 19 can be downloaded from here. Java SE Development Kit (JDK) Version 6 Update 19 can be downloaded from here.