Note: This is an archival copy of Security Sun Alert 234302 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019070.1.
Article ID : 1019070.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Sun Alert Archive Reference for Year 2002



Category
Security

Release Phase
Resolved

Security Sun Alert Archive Reference for Year 2002

3 of 3 -- Security Sun Alert Archive Reference for Year 2002
If you need additional information for any of the following
Sun Alerts please contact the Sun Alert Program Office at:
	sunalert_pmo@sun.com
These Sun Alerts are only available upon request. They are not part
of the current collection which begins with January 1, 2003.
=======================================================
1)
XML DTD Entities can Cause Denial of Service on XML 1.0 Parsers,
Including Those Supplied With Sun ONE Unified Development Server (UDS)
ID: 101157 (formerly 49922)
# Product:Sun ONE Unified Development Server 3.0/5.0
# BugIDs: 4792456
Unprivileged local or remote users can use specific XML entity
declarations in DTDs ("Document Type Definitions") to create a Denial
of Service (DoS) attack on XML 1.0 standard compliant parsers, including
those supplied with the Sun ONE Unified Development Server (UDS).
Such a Denial of Service attack could result in the loss of an
application service, rendering part of the system inoperable.
=======================================================
2)
mail(1) Vulnerability May Allow Options to be Passed to Sendmail
ID: 100976 (formerly 42774)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7
Operating System, Solaris 8 Operating System
# BugIDs: 4502850
Unprivileged local or remote users may be able to gain elevated
privileges due to a vulnerability involving the interaction of mail(1)
and sendmail(1M) when mail(1) is invoked from a privileged program.
The only such privileged program that Sun ships is in.lpd(1M). In this case
unauthorized root access is possible via in.lpd(1M). This specific instance
is already described in SunAlert 41664. It is related to CERT Vulnerability
Note VU#39001, lpd allows options to be passed to sendmail described at
http://www.kb.cert.org/vuls/id/39001 which is referenced in CA-2001-30
(see http://www.cert.org/advisories/CA-2001-30.html).
=======================================================
3)
Buffer Overflow in snmpdx(1M) May Allow Remote Root Compromise
ID: 100975 (formerly 42769)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System,
Solaris 8 Operating System
# BugIDs: 4563124
Unprivileged local or remote users may be able to gain unauthorized root
access due to a buffer overflow in snmpdx(1M).
This issue is described in the CERT Vulnerability VU#854306 (see
=======================================================
4)
Solaris RFC 1948 TCP Initial Sequence Numbers (ISNs) Should be More Random
ID: 100982 (formerly 42963)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System,
Solaris 8 Operating System
# BugIDs: 4463711
Systems using RFC 1948 sequence number generation which also use reusable
IP addresses (e.g. modem servers, or systems configured to use DHCP or NAT),
may be vulnerable to TCP based attacks such as IP spoofing which can result
in an unprivileged remote user gaining unauthorized root access to the server.
RFC 1848 sequence number generation is enabled in Solaris systems by setting
"TCP_STRONG_ISS=2" in /etc/default/inetinit. Default value is "TCP_STRONG_ISS=1".
=======================================================
5)
Buffer Overflow in the Kerberos version of login, login.krb5
ID: 100987 (formerly 43223)
# Product: SEAM for Solaris 2.6 Operating System, Solaris 7 Operating System,
Solaris 8 Operating System
# BugIDs: 4615238
Unprivileged local or remote users may be able to gain unauthorized root
access due to a buffer overflow in the Kerberos version of login, login.krb5.
This issue is related to the issue described in the CERT Vulnerability VU#569272
=======================================================
6)
Java SDK and JRE URLConnection Should Perform Checks on Request Headers
ID: 100989 (formerly 43298)
# Product:  SDK and JRE 1.3.0
# BugIDs: 4447135
A vulnerability in the Java(TM) Runtime Environment may allow an untrusted
applet to monitor requests to and responses from an HTTP proxy server when
a persistent connection is used between a client and an HTTP proxy server.
=======================================================
7)
Sun Management Center (SunMC) Agent Susceptiblity to a Denial of Service Attack
ID: 100991 (formerly 43365)
# Product:  SunMC 2.1.1
# BugIDs: 4640046
This issue is related to the issue described in the CERT Vulnerability VU#854306
The Sun Management Center agent has been tested using the tool referenced in
the CERT advisory and it has been found that none of the available tests allowed
malicious code into the system. However, the SunMC agent is susceptible to a
denial of service attack, in that the agent may shutdown under an attack as
described in this CERT advisory.
=======================================================
8)
Security Vulnerability in Java(TM) Runtime Environment Bytecode Verifier
ID: 101000 (formerly 43546)
# Product: JDK and JRE 1.1.8
# BugIDs: 4510682
A vulnerability in the Java(TM) Runtime Environment Bytecode Verifier may be
exploited by an untrusted applet to escalate privileges.
=======================================================
9)
Java(TM) Web Start Applications May Gain Access to Restricted Resources
ID: 100999 (formerly 43544)
# Product:  Java Web Start 1.0, 1.0.1, and 1.0.1_01
# BugIDs: 4522528, 4528538
A Java(TM) Web Start application may gain access to restricted resources.
=======================================================
10)
Sun Cluster Process, in.mond, May Allow Access to System Logs and Configuration Data
ID: 100805 (formerly 25252)
# Product:  Sun Cluster 2.2
# BugIDs: 4392328
All cluster configuration information and system logs can be accessed by
external systems via a connection to the in.mond process. This allows an
external system to know about the machines in the cluster and possibly a
list of user logins to that machine.
=======================================================
11)
Sun Fire 280R, V880 and V480 Unprivileged Users May be Able to Issue Environmental
Monitoring Subsystem Commands
ID: 101013 (formerly 43908)
# Product: Sun Fire 280R Server, Sun Fire V880 Server, Sun Fire V480 Server
# BugIDs: 4625162
Unprivileged local users on Sun Fire 280R, V880, and V480 systems may be able
to alter the environmental monitoring subsystem. This could result in the system
becoming unavailable.
=======================================================
12)
Security Issue When Setting ACLs on Character Terminals With Solaris
101014 (formerly 43929)
# Product: Solaris 8 Operating System
# BugIDs: 4394991
A local unprivileged user may be able to retain write permissions to their
allocated tty(1) via an Access Control List (ACL) after they have logged out
and the tty(1) has been allocated to another user. For more information refer
to the acl(2) manual page.
=======================================================
13)
Buffer Overflow in snmpd(1M) and edd(1M) may Allow Unauthorized Remote Access
to E10K SSP Server
ID: 101018 (formerly 43985)
# Product: Sun Enterprise 10000 Server
# BugIDs: 4643692, 4648503, 4425460
Unprivileged remote users may be able to gain unauthorized access to an
SSP machine due to buffer overflow in snmpd(1M) and edd(1M).
This issue is described in the CERT Vulnerability VU#854306
=======================================================
14)
Security Vulnerabilities in Kerberos 4 Affect Sun Enterprise Authentication
Mechanism (SEAM(5))
ID: 101017 (formerly 43946)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris
8 Operating System
# BugIDs: 4338622
A remote unprivileged user may be able to gain unauthorized root access to a
system running services authenticated with Kerberos 4. A remote unprivileged
user may also be able to gain unauthorized root access to a system running krshd,
regardless of whether the program is configured to accept Kerberos 4 authentication.
This issue is described in CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos
=======================================================
15)
Security Issues with Solstice Enterprise Agents (SEA) snmpdx(1M) and mibiisa(1M)
ID: 101019 (formerly 43986)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating
System, Solaris 8 Operating System
# BugIDs: 4640230, 4640211, 4639581, 4639285, 4639509, 4639515
Unprivileged local or remote users may be able to kill the snmpdx(1M) or
mibiisa(1M) daemons due to the mishandling of SNMP requests. This would
cause a denial of service for utilities or users attempting to access these daemons.
Also, unprivileged local or remote users may be able to gain unauthorized
root access due to a buffer overflow in snmpdx(1M) and mibiisa(1M).
=======================================================
16)
Buffer Overflow in the CDE Mailer (dtmail)
ID: 100988 (formerly 43225)
# Product: Common Desktop Environment 1.0
# BugIDs: 4166321
Unprivileged local users may be able to gain unauthorized gid mail access
due to a buffer overflow in the CDE Mailer, dtmail(1X). This would allow
users with access to a mail server to read, modify, and delete the e-mail
of other users in /var/mail.
For more information see NSFOCUS Security Advisory(SA2001-04).
=======================================================
17)
Security Vulnerability with the in.lpd(1M) Daemon Allowing Options to be Passed
to Sendmail
ID: 100953 (formerly 41664)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System,
Solaris 8 Operating System
# BugIDs: 4501950
Unprivileged remote and local users may be able to gain unauthorized root
access due to a security vulnerability in in.lpd(1M) interacting with mail(1) and
sendmail(1). See also Sun Alert 42774.
This issue is described in the CERT Vulnerability VU#39001
=======================================================
18)
tcsh(1), csh(1), sh(1) and ksh(1) Create Predictable tmpfiles When Using
"here" ('<<') Documents
ID: 100890 (formerly 27694)
# Product: Solaris 8 Operating System
# BugIDs: 4384076, 4384080, 4392404, 4477619
Unprivileged local users may be able to overwrite or create any file on
the system if a root user uses the tcsh(1), csh(1), sh(1) or ksh(1) shell
to create a "here" document.
This issue is described in CERT Vulnerability Note VU#10277
=======================================================
19)
Sun Ray Security Vulnerability with Non-Smartcard Mobility (NSCM)
ID: 101020 (formerly 44069)
# Product:  Sun Ray Server Software (SRSS) 1.3
# BugIDs: 4660438
It may be possible for a user to login to a Solaris 8 Sun Ray server which is
configured to use non-smartcard mobility (NSCM) and inadvertently be logged in
as a different user. Note that the initial user has to be on a client that is
issuing XDMCP to the Sun Ray server that has this security vulnerability. The
initial user does not have to have an account on the Sun Ray server itself.
=======================================================
20)
Buffer Overflow in mail(1) in Solaris
ID: 100915 (formerly 40093)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System,
Solaris 8 Operating System
# BugIDs: 4465086, 4624990
Unprivileged local users may be able to gain unauthorized "gid" mail access due
to a buffer overflow in mail(1). This would allow users with access to a mail
server to read, modify, and delete the e-mail of other users in /var/mail.
=======================================================
21)
Buffer Overflow in xntpd(1m)
ID: 100932 (formerly 40771)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System,
Solaris 8 Operating System
# BugIDs: 4434235
It is possible for unprivileged local or remote users to cause xntpd(1M), the
Network Time Protocol daemon, to dump core.
=======================================================
22)
The SunATM atmsnmpd(1M) Daemon has a Denial of Service Vulnerability
ID: 101032 (formerly 44605)
# Product: SunATM 5.0
# BugIDs: 4641068
A local or remote user may be able to kill the atmsnmpd(1M) daemon due to its
improper handling of malformed SNMP requests on Solaris.
This issue is described in CERT Vulnerability VU#854306
========================================================
23)
Security Vulnerabilities with the SNMP Protocol and Sun Products
ID: 101002 (formerly 43704)
# Product: SNMP
# BugIDs: 4563124, 4640046, 4643692, 4641295, 4637910, 4641295
Sun products which utilize the SNMP protocol may be vulnerable to Denial
of Service attacks, service interruptions, and in some cases a local or
remote attacker may be able to gain access to the affected device or even
gain elevated privileges.
More details of the issue are available from CERT Vulnerability VU#854306
=======================================================
24)
Security Issue with gzip(1) 1.2.4. in Solaris 8
ID: 101021 (formerly 44186)
# Product: Solaris 8 Operating System
# BugIDs: 4644742
The gzip(1) version 1.2.4 contains a buffer overflow in its input file name
handling and if executed by a privileged program (such as an FTP server) an
unprivileged local user may be able to gain elevated privileges. If an FTP
server has been configured to allow anonymous FTP, then remote users may also
be able to exploit this vulnerability.
This issue is described in the Security Focus bugtraq Id 3712
=======================================================
25)
lbxproxy(1) Might Cause a Buffer Overflow in Solaris
ID: 101036 (formerly 44842)
# Product: Solaris 9 Operating System, Solaris 7 Operating System, Solaris 8
Operating System
# BugIDs: 4649617
Local users may be able to gain unauthorized group ID "root" access due to
a buffer overflow in lbxproxy(1) (the "Low Bandwidth X Proxy").
This issue is described in eSO Security Advisory 3761
=======================================================
26)
Security Vulnerability in the in.talkd(1M) Daemon
ID: 101034 (formerly 44646)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating
System, Solaris 8 Operating System
# BugIDs: 4651310
A remote user may be able to gain unauthorized root privileges due to a format
string vulnerability in the in.talkd(1M) daemon on Solaris.
=======================================================
27)
"telnetd" and "rlogind" Under SEAM(5) Should not Indicate if the Username
Supplied is Valid
ID: 101039 (formerly 45141)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8
Operating System
# BugIDs: 4509090
A remote unprivileged user may be able to determine if a login ID exists on a
Kerberos system by attempting to telnet(1M) or rlogin(1M) to that system. This
should not be possible as the system should only respond with a success or
failure status after the password has been supplied. As such, it should not be
possible to determine if it was the user ID or the password supplied that was incorrect.
=======================================================
28)
System May be Paniced Within "adb" by an Unprivileged User
ID: 101045 (formerly 45241)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System
# BugIDs: 4190080
An unprivileged local user may be able to panic the system using adb(1M) under
certain circumstances.
=======================================================
29)
The "/proc//sigact" File May Contain Sensitive Data
ID: 101044 (formerly 45240)
# Product: Solaris 2.6 Operating System
# BugIDs: 4135457
A local unprivileged user may be able to view snippets of uninitialized memory.
=======================================================
30)
Security Vulnerability in the rpc.rwalld(1M) Daemon
ID: 101029 (formerly 44502)
# Product: Solaris 9 Operating System, Solaris 2.5.1, Solaris 2.6 Operating System,
Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4664537
A local or remote user may be able to gain unauthorized root privileges due to
a format string vulnerability in the rpc.rwalld(1M) daemon on Solaris. However,
the user would have to consume system resources and prevent rpc.rwalld(1M) from
executing wall(1M) in order to trigger the printing of the affected error message.
This makes remote exploitation non-trivial although the threat still remains. Local
exploitation of the bug is less difficult.
=======================================================
31)
The Solaris console(7D) may be Disabled by an Unprivileged Local User
ID: 101051 (formerly 45400)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating
System, Solaris 8 Operating System
# BugIDs: 4657339
A local unprivileged user may be able to prevent future logins to the
console(7D) device (/dev/console). This is a type of denial of service.
=======================================================
32)
Secure Shell ("ssh") Integer Overflow can Cause a Remote Security Exploit
in Solaris 9
ID: 101057 (formerly 45525)
# Product: Solaris 9 Operating System
# BugIDs: 4708590
An integer overflow in sshd(1m) can allow unauthorized root access from a remote machine.
This issue is described in the CERT Vulnerability VU#369347
=======================================================
33)
gethostbyX(3NSL) Routines May Cause Application Failure
ID: 101052 (formerly 45463)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7
Operating System, Solaris 8 Operating System
# BugIDs: 4525129
A remote unprivileged user may cause the failure of applications that
use the DNS (Domain Name System) service for host name resolution.
This issue is described in the CERT Vulnerability VU#738331
=======================================================
34)
Unprivileged Local Users may be Able to Intercept Data Entered on the
System Serial Console
ID: 101054 (formerly 45502)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7
Operating System
# BugIDs: 4289663
Unprivileged local users may be able to intercept keystroke information
entered on the system serial console terminal, potentially including
privileged data.
=======================================================
35)
The Use of "/dev/poll" May Panic a System
ID: 101047 (formerly 45300)
# Product: Solaris 8 Operating System
# BugIDs: 4528269
A local unprivileged user may cause a system to panic by running a program
that uses /dev/poll. This same problem may also be caused unintentionally
if the default libthread is in use.
=======================================================
36)
101059	2002-07-05 00:00:00.0	pkgadd(1M) May Set Undesirable Permissions
on Files When Installing Certain Packages
ID: 101059 (formerly 45693)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating
System, Solaris 8 Operating System
# BugIDs: 4136905
In certain circumstances, pkgadd(1M) may erroneously install files with the
set-uid and set-gid permission bits applied. The files may also have the
owner set to 'root' meaning that a set-uid root shell could be installed
without the system administrator being aware of it.
If this occurs, pkgadd(1M) will install the package without asking or
notifying the user that these files are being installed with setuid/setgid privileges.
=======================================================
37)
Buffer overflow in vold(1M)
ID: 101061 (formerly 45707)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating
System, Solaris 8 Operating System
# BugIDs: 4637250
Unprivileged local users may be able to gain unauthorized root access due
to a buffer overflow in vold(1M).
=======================================================
38)
Security Vulnerability in the Way Apache Web Servers Handle Data Encoded in Chunks
ID: 101066 (formerly 45961)
# Product: Solaris 9 Operating System, Solaris 8 Operating System
# BugIDs: 4705227
A local or remote unprivileged user may be able execute arbitrary code on
Solaris 8 and 9 systems running the bundled version of Apache with the
privileges of the Apache HTTP process. The Apache HTTP process normally
runs as the unprivileged uid 'nobody' (uid 60001). Exploits are publicly
available that claim to allow the execution of arbitrary code. The ability
to execute arbitrary code as the unprivileged uid 'nobody' may lead to
modified Web content, denial of service, or further compromise.
This issue is described in the CERT Vulnerability VU#944335
=======================================================
39)
Multiple Vulnerabilities in the ToolTalk Database Server
ID: 101068 (formerly 46022)
# Product: Solaris 9 Operating System, Solaris 2.5.1, Solaris 2.6 Operating
System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4707187
A local or remote user may be able to delete arbitrary files, cause a
denial of service, or possibly execute arbitrary code or commands with
the privileges of the rpc.ttdbserverd(1M) daemon due to vulnerabilities
discovered in the Common Desktop Environment (CDE) ToolTalk RPC database server,
rpc.ttdbserverd(1M). The rpc.ttdbserverd(1M) daemon runs with root privileges.
This issue is described in the CERT Vulnerability VU#299816
=======================================================
40)
Sun ONE Web Server Arbitrary Remote File Viewing Vulnerability
ID: 101072 (formerly 46127)
# Product:  Sun ONE Web Server 6.0 prior to Service Pack 4
# BugIDs: 4712812, 4713024
A vulnerability has been found in the Sun ONE, iPlanet and Netscape Web Server
applications that allows remote unprivileged users to view and read files on
the system upon which the web server is running. The files that are viewable are
only those which the web server, which runs as uid 'nobody', can access and is
thus limited to world readable files.
=======================================================
41)
Sun ONE Web Server Transfer Encoding Buffer Overflow Vulnerability
ID: 101073 (formerly 46128)
# Product: Sun ONE Web Server 6.0 prior to Service Pack 4
# BugIDs: 4707395, 4711825
A local or remote unprivileged user may be able execute arbitrary code on
systems running the iPlanet Web Server or the Sun ONE Web server with the
privileges of the iPlanet Web Server HTTP process or the Sun ONE Web server
due to a buffer overflow in the HTTP daemon of both web servers. The iPlanet
Web Server and Sun ONE Web server HTTP daemon normally run as the unprivileged
uid 'nobody' (uid 60001). The ability to execute arbitrary code as the
unprivileged uid 'nobody' may lead to modified Web content, denial of service,
or further compromise.
=======================================================
42)
Xsun(1) Might Cause a Buffer Overflow in Solaris
ID: 101037 (formerly 44843)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating
System, Solaris 8 Operating System
# BugIDs: 4661987
Unauthorized local users may be able to gain unauthorized root access on
Solaris x86 systems or group ID "root" access on Solaris SPARC systems due
to a buffer overflow in the Xsun(1) server if used with the "-co"
(color database) command line option.
This issue is described in Network Security Focus (NSFocus) Security
Advisory SA2002-01
=======================================================
43)
SunNet Manager's (SNM) SNMP Daemon (snmpd) May Die When Handling Malformed
SNMP Requests
ID: 101074 (formerly 46343)
# Product:  SunNet Manager 2.3 (for Solaris 2.5.1, 2.6, 7, 8, and 9)
# BugIDs: 4641295
A local or remote user may be able to terminate the SunNet Manager (SNM)
snmpd(1M) daemon due to its improper handling of malformed SNMP requests on Solaris.
This issue is described in CERT Vulnerability VU#854306
=======================================================
44)
The OpenSSL on Sun/Cobalt Platforms Have Remotely Exploitable Vulnerabilities
ID: 101079 (formerly 46424)
# Product: Cobalt RaQs and Qubes
# BugIDs: 15787
Sun Cobalt RaQs and Qubes may be vulnerable to Denial of Service attacks,
service interruptions, and in some cases a local or remote attacker may be
able to execute arbitrary code on a Cobalt system and possibly gain elevated
privileges due to several buffer overflows found in OpenSSL. All Sun Cobalt
RaQs and Qubes are affected by the OpenSSL buffer overflows.
More details of the OpenSSL buffer overflows are available from CERT
Vulnerability Notes VU#102795
=======================================================
45)
Buffer Overflow in the ToolTalk Library
ID: 101076 (formerly 46366)
# Product: Solaris 9 Operating System, Solaris 2.5.1, Solaris 2.6 Operating System,
Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4713445
A local or remote user may be able to execute arbitrary code or commands with the privileges of the rpc.ttdbserverd(1M) daemon due to a buffer overflow vulnerability discovered in the Common Desktop Environment (CDE) ToolTalk RPC database server, rpc.ttdbserverd(1M). The rpc.ttdbserverd(1M) daemon runs with root privileges.
This issue is described in the CERT Vulnerability VU#387387
=======================================================
46)
Buffer Overflow in DNS Resolver Library (CA-2002-19)
ID: 101069 (formerly 46042)
# Product: Solaris 9 Operating System, Solaris 2.5.1, Solaris 2.6 Operating
System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4708913
An unprivileged remote user who is able to send malicious DNS responses
could exploit this vulnerability to execute arbitrary code or cause a denial
of service on vulnerable systems. Any code executed by the attacker would run
with the privileges of the process that calls the vulnerable resolver function.
There are some processes which run with root privileges (daemons for example)
which call resolver routines and as such this is potentially a remote root vulnerability.
This issue is described in the CERT Vulnerability VU#803539
=======================================================
47)
aspppls(1M) Does Not Create the Temporary File /tmp/.asppp.fifo Safely
ID: 101089 (formerly 46903)
# Product: Solaris 8 Operating System
# BugIDs: 4683015
A local unprivileged user may be able overwrite or create any file on a
Solaris 8 system which could lead to a unprivileged local user gaining
unauthorized root privileges due to a security issue with aspppls(1M).
=======================================================
48)
RPC Requests Involving AUTH_DES Authentication may Allow a User to Gain Elevated Privileges
ID: 101090 (formerly 46944)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System
# BugIDs: 4240833
Unprivileged local or remote users may be able to gain unauthorized elevated
privileges (in some cases root privileges) due to an issue with certain RPC
requests involving AUTH_DES authentication.
=======================================================
49)
Local User Privilege Escalation Vulnerability Involving "authenticate" on
Sun/Cobalt RaQ and Qube Platforms
ID: 101092 (formerly 46988)
# Product: Sun Cobalt Qube 3 Server, Sun Cobalt RaQ XTR Server, Sun Cobalt RaQ 4 Server
# BugIDs: 15710
A local unprivileged user on a Sun/Cobalt RaQ or Qube system could
exploit a vulnerability that exists in /usr/lib/authenticate to elevate
their privileges to root.
=======================================================
50)
A Rare Race Condition and Security Vulnerability May Cause System Panic
ID: 101099 (formerly 47353)
# Product: Solaris 9 Operating System, Solaris 2.6 Operating System,
Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4676535
A system panic may result from a rare race condition or a local
unprivileged user running exploit code.
=======================================================
51)
The Sun Crypto Accelerator 1000 Software is Vulnerable to OpenSSL Security
Vulnerabilities
ID: 101083 (formerly 46605)
# Product: Sun Crypto Accelerator 1000 PCI Card
# BugIDs: 4725003
Solaris 8 or 9 systems with the Sun Crypto Accelerator 1000 board which
are configured to use the Apache web server may be vulnerable to Denial
of Service attacks, service interruptions, and in some cases a local or
remote attacker may be able to execute arbitrary code on the Solaris 8 or
9 systems and possibly gain elevated privileges due to several buffer overflows
found in OpenSSL. Solaris 8 or 9 systems with the Sun Crypto Accelerator 1000
board which are configured to use the iPlanet web server are not affected by this issue.
There are multiple vulnerabilities in OpenSSL versions 0.9.6d and earlier,
as documented in the CERT Advisory VU#258555
=======================================================
52)
Sun Cobalt Security Vulnerability with Borland Interbase
ID: 101106 (formerly 47783)
# Product: Sun Cobalt RaQ, Cobalt Qube
# BugIDs: 16155
A local unprivileged user may be able to gain unauthorized root
access to a Sun Cobalt RaQ or Sun Cobalt Qube due to an issue with the
"/opt/interbase/bin/gds_lock_mgr" binary.
=======================================================
53)
Sun Linux Security Vulnerability in "gaim" Instant Messaging Client
ID: 101105 (formerly 47782)
# Product: Sun Linux 5.0
# BugIDs: 16104
On Sun Linux, a remote user may be able to execute arbitrary commands
messaging client.
This issue is described in CAN-2002-0989
=======================================================
54)
On Solaris 8 an Unprivileged User may Cause a System Panic if the
0x02 Bit is Set in "kmem_flags"
ID: 101114 (formerly 48067)
# Product: Solaris 8 Operating System
# BugIDs: 4349757
A local unprivileged user can panic the system if the kmem_flags
kernel parameter has the 0x02 bit set which is also known as the "TEST",
"KMF_DEADBEEF" or "deadbeef" flag setting.
=======================================================
55)
Possible Denial of Service for OpenWindows mailtool(1) Users
ID: 101117 (formerly 48216)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System,
Solaris 8 Operating System
# BugIDs: 4755258
An unprivileged local or remote user may be able to cause a denial of service for OpenWindows' mailtool(1) users.
=======================================================
56)
TCP Reset Segment Generation Could Result in a Denial of Service Attack
ID: 101116 (formerly 48209)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7
Operating System, Solaris 8 Operating System
# BugIDs: 4635484
Due to the requirement that the TCP protocol generates reset segments,
a malicious user may be able to launch a denial of service attack (DoS)
possibly hanging the system. The attack would be launched remotely
by a privileged user.
=======================================================
57)
Web-Based Enterprise Management (WBEM) on Solaris 8 Installs Insecure Files
ID: 101122 (formerly 48320)
# Product: Solaris 8 Operating System
# BugIDs: 4381755
Installation of Solaris 8 Update 1/01 (or later Solaris 8 Update Releases)
will by default install the Web-Based Enterprise Management (WBEM) packages
"SUNWwbdoc", "SUNWwbcou", "SUNWwbdev" and "SUNWmgapp". These packages install
files with world and/or group write permissions.
As a result, an unprivileged local user may be able to gain
unauthorized root access or cause a denial of service.
=======================================================
58)
Security Vulnerability in Java(TM) Runtime Environment "zlib"
Compression Library
ID: 101132 (formerly 48761)
# Product: Java(TM) Runtime Environment
# BugIDs: 4651525
Sun's implementations of the Java(TM) Runtime Environment include
"zlib" and are affected. This issue may allow malicious code to
corrupt memory and possibly crash the Java Runtime Environment.
CERT has reported an issue in the "zlib 1.1.3" compression library
=======================================================
59)
Sun Cobalt RaQ 4 is Vulnerable to a Local or Remote User Exploit
ID: 101148 (formerly 49377)
# Product: Sun Cobalt RaQ 4 Server
# BugIDs: none
Sun Cobalt RaQ 4 server appliances with the SHP (Security Hardening Patch)
installed are vulnerable to a remotely exploitable vulnerability. A local
or remote unprivileged user may be able to execute arbitrary code with
root (uid 0) privileges.
This issue is described in CERT Vulnerability VU#810921
=======================================================
60)
Java VM Allows Constructors not to Call Other Constructors
ID: 101147 (formerly 49304)
# Product: SDK, JDK and JRE 1.1.x
# BugIDs: 4243535
A defect in the Java Bytecode Verifier may allow new instances of
objects to be created without calling the proper initialization
method from within the constructor of the created class.
Customer deployments of affected versions of the Java runtime environment
may encounter
=======================================================
61)
Sun Linux Security Vulnerability in "gv" ("Ghostview") Command
ID: 101104 (formerly 47780)
# Product:  Sun Linux 5.0
# BugIDs: 16164
On Sun Linux, a local or remote user may be able to gain unauthorized
user access rights due to a buffer overflow in the "gv" ("Ghostview") command.
=======================================================
62)
X Font Server May Allow Denial of Service
ID: 101135 (formerly 48879)
# Product: Solaris 9 Operating System, Solaris 2.5.1, Solaris 2.6 Operating
System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4764193
A local or remote user may be able to cause a denial of service, or possibly
execute arbitrary code or commands with the privileges of the xfs(1) X font server.
The X font server runs as user "nobody".
=======================================================
63)
On Solaris an Unprivileged User may Cause a System Panic (Denial of Service)
ID: 101121 (formerly 48267)
# Product: Solaris 9 Operating System, Solaris 2.5.1, Solaris 2.6 Operating System,
Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4360843
A local unprivileged user may be able to panic a system causing Denial of Service.
=======================================================
64)
Security Vulnerability in the Network Services Library, libnsl(3LIB)
ID: 101071 (formerly 46122)
# Product: Solaris 9 Operating System, Solaris 2.5.1, Solaris 2.6
Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4691127
A local or remote user may be able to gain unauthorized root privileges
due to a type overflow vulnerability in the xdr_array(3NSL) function
which is part of the network services library, libnsl(3LIB), on Solaris.
This issue is described in the CERT Vulnerability VU#192995
=======================================================
65)
Solaris 8 and Solaris 9 Network Interface may Stop Responding to TCP Traffic
ID: 101129 (formerly 48601)
# Product: Solaris 9 Operating System, Solaris 8 Operating System
# BugIDs: 4691577
A local or remote unprivileged user may be able to cause some network
interfaces to stop responding to TCP(7P) traffic.
=====================  End of 2002 =========================

Product
Solaris 8 Operating System


Attachments
This solution has no attachment