Note: This is an archival copy of Security Sun Alert 200364 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000257.1. |
Category Security Release Phase Resolved 4959521 Date of Workaround Release 16-JAN-2004 Date of Resolved Release 15-MAR-2004 Impact On systems running Sun Cluster 3.x with SunPlex Manager configured, a remote unprivileged user (who has obtained "root" privileges) may cause a Denial of Service (DoS) and arbitrary code execution due to multiple vulnerabilities in OpenSSL Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. This issue is also described in CERT Vulnerability VU#104280 at http://www.kb.cert.org/vuls/id/104280, which is referenced in CERT Advisory CA-2003-26 at http://www.cert.org/advisories/CA-2003-26.html. Also see the NISCC Vulnerability Advisory 006489/TLS at http://www.uniras.gov.uk/vuls/2003/006489/tls.htm. Contributing Factors This issue can occur in the following releases: SPARC Platform
Notes:
To determine if SunPlex Manager is configured and running on a cluster node, run the following command: $ /usr/bin/ps -fp `/usr/bin/cat /var/cluster/spm/httpd.pid` If the output is similar to the following: UID PID PPID C STIME TTY TIME CMD root 2907 1 0 Nov 19 ? 0:02 /usr/apache/bin/httpd -DSSL -f /opt/SUNWscvw/conf/httpd.conf then SunPlex Manager is running on this cluster node. If the above command returns no process information or an error, SunPlex Manager is not running on this cluster node. Symptoms There are no predictable symptoms that would indicate the above described issue has been exploited. Workaround To work around the described issue, systems can be protected by completely stopping the SunPlex Manager by running the following command: $ /etc/init.d/initspm stop Resolution This issue is addressed in the following releases: SPARC Platform
Modification History Date: 09-FEB-2004
Date: 23-FEB-2004
Date: 15-MAR-2004
Product Sun Cluster 3.1 References113505-02113508-02 115054-01 115055-01 Attachments This solution has no attachment |
|