Note: This is an archival copy of Security Sun Alert 201460 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001100.1.
Article ID : 1001100.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Sun Cluster 2.2



Category
Security

Release Phase
Resolved

Bug Id
4805121, 4318821

Date of Resolved Release
20-MAY-2003

Impact

Database user names and passwords may be readable for local unprivileged users because they are held in a plain text cluster configuration file.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Cluster 2.2 (for Solaris 2.6) without patch 109208-13
  • Sun Cluster 2.2 (for Solaris 7) without patch 109209-12
  • Sun Cluster 2.2 (for Solaris 8) without patch 109210-11

Note that due to a patch removal script issue, the vulnerability will recur if one of the following patches are removed from the system and the fix is not re-installed:

  • Sun Cluster 2.2 removal of patch 109208-14 through 109208-17
  • Sun Cluster 2.2 removal of patch 109209-13 through 109209-16
  • Sun Cluster 2.2 removal of patch 109210-12 through 109210-15

This removal script issue is resolved by Bug 4805121 addressed in the patches listed in the Resolution section below.

Only systems that have the HA-Oracle or HA-Sybase DBMS services registered with the cluster framework are affected by this issue. The issue is not with the Oracle or Sybase software.

Note: Sun Cluster 3.x is not impacted by this issue.


Symptoms

There are no reliable symptoms that would show the described issue has occurred.


Workaround

There is no workaround. Please see the "Resolution" section below.

It is not possible to simply change the permissions of the cluster configuration file since there are a number of processes that modify this file and at the same time set the permissions of the file to the default values.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Cluster 2.2 (Solaris 2.6) with patch 109208-18 or later
  • Sun Cluster 2.2 (Solaris 7) with patch 109209-17 or later
  • Sun Cluster 2.2 (Solaris 8) with patch 109210-16 or later

Note: With the above patches installed, the cluster configuration file is accessible by the superuser only.



Modification History
Date: 20-JUN-2003
  • Added BugID 4318821
  • Updated Contributing Factors regarding "patch removal script" issue



Product
Sun Cluster 2.2 4/00

References

109208-18
109209-17
109210-16





Attachments
This solution has no attachment