Note: This is an archival copy of Security Sun Alert 201460 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001100.1.
Date of Resolved Release
Database user names and passwords may be readable for local unprivileged users because they are held in a plain text cluster configuration file.
This issue can occur in the following releases:
Note that due to a patch removal script issue, the vulnerability will recur if one of the following patches are removed from the system and the fix is not re-installed:
This removal script issue is resolved by Bug 4805121 addressed in the patches listed in the Resolution section below.
Only systems that have the HA-Oracle or HA-Sybase DBMS services registered with the cluster framework are affected by this issue. The issue is not with the Oracle or Sybase software.
Note: Sun Cluster 3.x is not impacted by this issue.
There are no reliable symptoms that would show the described issue has occurred.
There is no workaround. Please see the "Resolution" section below.
It is not possible to simply change the permissions of the cluster configuration file since there are a number of processes that modify this file and at the same time set the permissions of the file to the default values.
This issue is addressed in the following releases:
Note: With the above patches installed, the cluster configuration file is accessible by the superuser only.
Sun Cluster 2.2 4/00
This solution has no attachment