Note: This is an archival copy of Security Sun Alert 200858 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000648.1.
Solaris 10 Operating System
Date of Preliminary Release
Date of Resolved Release
Security Vulnerability in Solaris 10 OpenSSL SSL_get_shared_ciphers() Function
A security vulnerability in the SSL_get_shared_ciphers() function within the OpenSSL library shipped with Solaris 10 may affect applications which make use of this function. The exact impact will vary depending on the way this function is used by the application. For example, if the application communicates with remote hosts and makes use of the SSL_get_shared_ciphers() function, it may be possible for a local or remote user to execute arbitrary code with the privileges of the impacted application or to cause the application to crash, which is a type of Denial of Service (DoS).
This issue is also referenced in the following documents:
CVE-2007-5135 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-51352. Contributing Factors
This issue can occur in the following releases:
There are no predictable symptoms that would indicate that this issue has been exploited to gain elevated privileges. Symptoms indicating a Denial of Service (DoS) will vary depending upon the application.4. Workaround
There is no workaround for this issue. However, affected applications may allow this issue to be worked around by disabling the functionality which makes use of the SSL_get_shared_ciphers() function (for example, SSL support). See the relevant application documentation for further information.Resolution
This issue is addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
13-Feb-2008: Updated Contributing Factors and Resolution sections, RESOLVED
This solution has no attachment