Security Advisories and Notifications


Notification: (BEA03-44.00)

From: Oracle Corporation

Minor Subject: Expiration of CA certificates

Two root CA certificates from VeriSign Inc. that are included in the JDK's default cacerts file are expiring on January 7th, 2004. According to VeriSign, all certificates that rely on these CA certificates should have expired by December 7th, 2003. That is, VeriSign stopped issuing certificates based on these CA certificates on December 6th, 2002 for 12 month certificates and December 6th, 2001 for 24 month certificates. Therefore VeriSign believes there should not be any customers at risk of any consequences of the January 2004 expiration of the first generation of VeriSign's PCA root certificates.

A primary PKI rule is that a certificate cannot have a validity period that extends beyond that of the CA that issued it. When processing a certificate, a relying application should check the entire certificate chain -- the end-entity certificate and all the CAs on up to the ultimate root CA -- to ensure that this rule is followed. For SSL certificates, Verisign changed over to the new hierarchy, with the newer root CA certificate expiring in 2028, in 2001 -- and therefore even 2 year SSL certs issued around that rollover time will have expired in 2003. Code signing certs are only valid for 1 year, and since hierarchy rollover for those products happened in August 2002, the last certificates issued under the old roots would have expired in August 2003. Since all applications should check end-entity cert validity along with hierarchy validity, all customers would have had to renew their old certificates by now, and thus would have already received renewed certs signed in the new hierarchy.

When booting the BEA WebLogic Server, if these CA certificates are in the trusted CA store (either using the JDK's cacerts file or because of a custom trusted CA store that contains the certificates), the BEA WebLogic Server will give warning messages that there are certificates that are about to expire in the trusted CA store if the server is being booted prior to January 7th, 2004. Once the certificates expire, the warning messages will change to say that there are expired certificates in the trusted CA store.

The BEA WebLogic Server will reject any certificates that have expired or that are signed by expired CA certificates - even if those CA certificates are in the trust keystore. That is, neither the warning messages nor the presence of expired CA certificates in the trust keystore represents a vulnerability. These warning messages can simply be ignored.

An issue related to these expiring CA certificates is that Sun Microsystems did not include VeriSign's new CA certificates in the JDK's cacerts file. If the JDK's cacerts file is being used for trust for the BEA WebLogic Server, valid certificates that are signed by these new VeriSign CA certificates will be rejected. These new root CA certificates can be added to the JDK's cacerts file by following directions in the "Relief/Workaround" section of the Sun Alert Notification at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57436.


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation