Note: This is an archival copy of Security Sun Alert 249126 as previously published on
Latest version of this security advisory is available from as Sun Alert 1019926.1.
Article ID : 1019926.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2009-01-20
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Incorrect Software Setting Prior to Shipping on Certain Sun SPARC M4000/M5000 Servers May Allow Unauthorized Access



Release Phase

Bug Id

Sun SPARC Enterprise M4000 Server
Sun SPARC Enterprise M5000 Server

Date of Resolved Release

Incorrect software setting prior to shipping on certain Sun SPARC M4000/M5000 servers may allow unauthorized access

1. Impact
Due to incorrect software settings prior to shipping on certain Sun SPARC
Enterprise M4000/M5000 servers the following issues will be seen:

- Some system features and commands will not behave as expected
- If an error is reported by the Solaris Fault Management Architecture
(FMA) the message will contain an incorrect URL.
- Sun Management Center(SunMC) fails to run on the system
- A local or remote user may be able to log in as root to the eXtended
System Control Facility Unit (XSCFU), also known as the Service Processor.

2. Contributing Factors

This issue can occur on the following platforms:
  • SPARC Enterprise M4000/M5000 Servers with serial numbers for the weeks of 38 through 49 of 2008
The serial number can be used to determine the affected weeks. To obtain the system serial number, use the "showhardconf" command at the XSCF prompt:
    XSCF> showhardconf
SPARC Enterprise M5000;
+ Serial:BCF084604T; Operator_Panel_Switch:Service;
Power_Supply_System:Single; SCF-ID:XSCF#0;
------ Deleted additional output ---------------
Serial number breakdown to determine affected weeks:

PP is a factory code
M is a model code
YY is the last two digits of the year
WW is the week of the calendar year
SSS is a hexidecimal or alphanumeric sequence number
In the example above, serial number BCF084604T  indicates it is from week 46 of 2008.

3. Symptoms

If the described issue occurs, the OBP Banner or Browser User Interface (BUI) may display a non-Sun brand.

Another symptom can be seen when typing the keyboard sequence <tab><tab> at the XSCF prompt with the current user in "Normal" mode. This sequence will display a list of all available commands. If the command "enablecodboard" is present in the list, the described issue has been experienced.

4. Workaround

There is no workaround for this issue.  Please see the Resolution below.

5. Resolution

If you believe you have an affected system, a Sun Service Request needs to be opened to correct the manufacturing settings.

Typically this issue can be fixed using Shared Shell (see:

For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History
19-Jan-2009: Updated Impact section.

This solution has no attachment