Oracle® iPlanet Web Server Release Notes Release 6.1 SP21 E18788-09 |
|
|
PDF · Mobi · ePub |
The features and enhancements in Oracle iPlanet Web Server 6.1 service pack releases prior to Oracle iPlanet Web Server 6.1 SP12 are described in the individual Release Notes documents specific to those releases, which are available at:
http://docs.oracle.com/cd/E19857-01/index.html
This chapter lists the features and enhancements in Oracle iPlanet Web Server 6.1 SP12 and later releases. It contains the following sections:
Oracle iPlanet Web Server 6.1 SP20 supports Network Security Services (NSS) 3.17.2.
There are no new features and enhancements in Oracle iPlanet Web Server 6.1 SP19. This release addresses security issues.
Oracle iPlanet Web Server 6.1 SP18 supports Network Security Services (NSS) 3.14.3.
There are no new features and enhancements in Oracle iPlanet Web Server 6.1 SP17. This release addresses security issues.
This section lists features and enhancements provided in Oracle iPlanet Web Server 6.1 SP16.
This release addresses the Java hash-table collision security vulnerability, CVE-2011-5035.
A new attribute, maxparametercount
, has been added to the JAVA
element of the server.xml
configuration file. You can use the maxparametercount
attribute to specify a limit for the number of parameters allowed for a JSP or a servlet request. This helps in protecting the server against a denial of service that can be caused by requests containing specially crafted parameters sent by remote attackers.
If the number of parameters in a request exceeds the configured maxparametercount
, the additional parameters are ignored.You can specify any positive integer as the value of maxparametercount
. The default value is 10000
.
This section lists features and enhancements provided in Oracle iPlanet Web Server 6.1 SP15.
A new property, maxrequestsperconnection
, is introduced in this release. You can use this property to resolve the CVE-2011-3389 security vulnerability, by lowering the number of requests on a keep-alive connection .
You can set maxrequestsperconnection
as shown in the following example:
<LS id="ls1" port="1892" servername="pegasus.example.com" maxrequestsperconnection="9" defaultvs="https-test"/>
Oracle iPlanet Web Server 6.1 SP15 supports Network Security Services (NSS) 3.13.1.0.
This section lists features and enhancements provided in Oracle iPlanet Web Server 6.1 SP14.
In Oracle iPlanet Web Server 6.1 SP14, the JDK 6 version that is packaged with the product has been changed to JDK 6 update 24. This change has been made to address security vulnerability CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number).
For more information about security vulnerability CVE-2010-4476, see the Oracle Security Alert at:
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
This section lists features and enhancements provided in Oracle iPlanet Web Server 6.1 SP13.
Web Server 6.1 SP12 included NSS 3.12.5, which provided relief, but not resolution, for the SSL/TLS renegotiation vulnerability http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
. Additionally, Web Server 6.1 SP12 disabled all use of SSL/TLS renegotiation in order to protect Web Server from attack. If either the client or Web Server attempted to trigger renegotiation on an existing SSL/TLS session, the connection would fail.
Web Server 6.1 SP13 includes NSS 3.12.7, which provides safe SSL/TLS renegotiation and so provides resolution of CVE-2009-3555. As a result, Web Server 6.1 SP13 re-enables use of SSL/TLS renegotiation. For more information about Web Server 6.1 SP13 support for NSS and NSPR, see Section 1.5.13, "NSS and NSPR Support."
As reported in issue 6957507, an HTTP response-splitting and XSS vulnerability was discovered in previous Web Server 6.1 versions. Web Server 6.1 SP13 corrects this vulnerability.
Web Server 6.1 SP13 includes JDK 1.6.0_21.
In response to issue 6951364, the Web Server 6.1 SP13 Admin GUI supports specifying a 2048-bit key size when generating a CSR (Certificate Signing Request) when using Security ⇒ Request a Certificate.
In response to issue 6922063, Web Server 6.1 SP13 sets the default value of Cryptographic Module in the Admin GUI Security ⇒ Request a Certificate to "internal". Additionally, the "NSS Generic Crypto Services" option has been removed.
In response to issue 6972686, the "Request Verisign Certificate" and "Install Verisign Certificate" commands have been removed from the Security tab of the Admin GUI.
Section 3.1, "Corrections and Updates to 6.1 SP12 Manuals" has been updated to address the following documentation issues.
Issue ID | Description |
---|---|
6938886 |
Wrong information of supportable methods should be removed in the Setting Access Rights |
6940796 |
net_read can set EAGAIN in errno when it times out. |
6966631 |
Statement for PathCheck is not correct. |
6973013 |
web 6.1 doc bug - need to remove the "-" in schedulerd command line stop - "- rm $PID_FILE" |
6977268 |
web 6.1 and 7.0 doc RFE - all request header names are returned as lowercase |
Web Server 6.1 SP12 includes JDK 1.6.0_17 on Solaris, Linux and Windows platforms. Web Server 6.1 SP12 still supports JDK 5 for backward compatibility.
This release contains fixes of important bugs, including the following ones related to security vulnerabilities:
Bug 6916390 describes the format string vulnerabilities in the WebDAV extensions to the Web Server. These issues may allow remote clients to trigger a Web Server crash, thus resulting in a Denial of Service (DoS) condition. These issues may also allow remote unauthorized users to gain elevated privileges, enabling them to access and modify sensitive files.
Bug 6916391 describes the buffer overflow issues in the Digest Authentication methods in the Web Server, which may allow remote unprivileged users to crash the Web Server, thus leading to a Denial of Service (DoS) condition. These issues may also lead to execution of arbitrary code with elevated privileges.
Bug 6916392 describes the heap overflow issue in the HTTP TRACE functionality in the Web Server, which may allow remote unprivileged users to crash the Web Server, thus leading to a Denial of Service (DoS) condition. These issues may also be exploited to gain unauthorized access to sensitive information.
SSL/TLS Vulnerability Fix (CVE-2009-3555)
Web Server 6.1 SP12 includes NSS 3.12.5 which provides relief for the SSL/TLS renegotiation vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
This vulnerability is a flaw in the current SSL/TLS renegotiation protocol definition. It is not a bug in the Web Server implementation. Due to this reason, there is no implementation-level fix for this vulnerability. The only workaround is to disable renegotiation entirely in order to protect the Web Server from attack.
Therefore, Web Server 6.1 SP12 disables all use of SSL/TLS renegotiation. If either the client or the Web Server attempt to trigger renegotiation on an existing SSL/TLS session, the connection will fail.
Typically renegotiation was used to obtain a client certificate sometime after the SSL/TLS connection was first established. Web applications which attempt to obtain a client certificate in this fashion will now fail.
Obtaining a client certificate during the initial connection handshake will continue to work correctly. This mode can be configured by setting the client-auth
element to 'required' in server.xml
:
<http-listener> <ssl> <client-auth>required</client-auth> </ssl> </http-listener>