Note: This is an archival copy of Security Sun Alert 201333 as previously published on
Latest version of this security advisory is available from as Sun Alert 1001007.1.
Article ID : 1001007.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-08
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in Early Versions of Sun SPARC Enterprise M4000/M5000/M8000/M9000 XSCF Control Package (XCP) firmware may Result in a Denial of Service (DoS) Condition


Release Phase

Sun SPARC Enterprise M9000 Server
Sun SPARC Enterprise M8000 Server
Sun SPARC Enterprise M4000 Server
Sun SPARC Enterprise M5000 Server

Bug Id
6574635, 6546970, 6548161

Date of Resolved Release


Security vulnerabilities with telnet(1), Secure Shell (SSH), and httpd in the Sun SPARC Enterprise M4000/M5000/M8000/M9000 XSCF Control Package (XCP) firmware versions prior to 1050 may allow a remote unprivileged user to cause a Denial of Service (DoS).

Contributing Factors

This issue can occur on the following platforms:

  • SPARC Enterprise M4000/M5000/M8000/M9000 servers with XSCF Control Package (XCP) firmware versions prior to 1050.

To determine the version of XCP firmware installed on a system, the following command can be used at the XSCF> prompt:

    XSCF> version -c xcp
    XSCF#0 (Active )
    XCP0 (Current): 1050
    XCP1 (Reserve): 1050

If the value under "Current" is less than 1050, the system may be vulnerable to this issue.


If the described issue occurs, the eXtended System Control Facility (XSCF) response may degrade and the XSCF will reboot whenever an "Out of Memory" condition occurs. Issues connecting to the XSCF may also be experienced.


There is no workaround.  Please see the Resolution section below.


This issue is addressed in the following releases:

  • XCP version 1050 or later

XCP 1050 packages are available from the Sun Download Center at:

This solution has no attachment