Note: This is an archival copy of Security Sun Alert 200585 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000447.1.
Solaris 9 Operating System
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Two security vulnerabilities in the OpenSSL product may lead to a Denial of Service (DoS) in applications which make use of this product. Depending on the individual application, these vulnerabilities may allow a local or remote unprivileged user to provide data to the application which will cause it to consume excessive amounts of CPU time or system memory.
OpenSSL is shipped with Solaris 10 (see openssl(5)). This library is not shipped with Solaris 9, however, a number of Solaris 9 applications statically link against this library and may be affected by these vulnerabilities. This Sun Alert provides details about the individual patches which should be installed to update the OpenSSL product on Solaris 10 and all potentially impacted Solaris 9 applications.
These issues are also referenced at the following URLs:
The WAN Boot application, which is shipped with Solaris 9 and Solaris 10, is impacted by these vulnerabilities. For more information, please see Sun Alert 102759.
This issue can occur in the following releases:
Note 1: Solaris 8 is not impacted by this issue.
Note 2: Solaris 9 does not ship with OpenSSL libraries which can be used for third-party application linking.
If either of the two issues mentioned above have been exploited, processes belonging to the affected applications will be consuming unusually large amounts of CPU time or memory, and applications running on the system may be slow or unresponsive. Commands such as prstat(1M) can be used to determine the utilization of system resources, for example:
$ prstat -s cpu [...] $ prstat -s size [...]
There is no workaround for this issue.
This issue is addressed in the following releases:
This solution has no attachment