Note: This is an archival copy of Security Sun Alert 200068 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000052.1.
Sun Net Connect 3.2 Services
Date of Resolved Release
A security vulnerability in Sun Remote Services (SRS) Net Connect Software may allow a local unprivileged user to read partial contents of any file on the system.
Sun acknowledges with thanks, iDefense (http://www.idefense.com) for bringing this issue to our attention.
This issue is also described in the following document:
This issue can occur in the following releases:
To determine if the SRS Net Connect software has been installed on a system, the following command can be run:
$ pkginfo SUNWsrspx system SUNWsrspx Sun(SM) Net Connect Proxy Core
To determine the version of the SRS Net Connect software installed on the system, the filename of the SRS Net Connect Uninstall script can be examined:
$ ls -l /opt/SUNWsrspx/bin/Uninstall* -r-xr----- 1 root root 6422 Mar 16 19:34 /opt/SUNWsrspx/bin/UninstallNetConnect.003.002.004.sh
The above output indicates SRS Net Connect version 3.2.4 is installed on the system.
There are no predictable symptoms that would indicate the described issue has been exploited to read the contents of a file on the system.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
This solution has no attachment