Note: This is an archival copy of Security Sun Alert 265488 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020824.1.
Date of Resolved Release
A security vulnerability in Sun Virtual Desktop Infrastructure (VDI) Software 3.0 may lead to inadvertent use of an insecure LDAP connection:
A security vulnerability in Sun Virtual Desktop Infrastructure (VDI) Software 3.0 may allow a remote privileged user to be able to view client LDAP requests for VDI configuration data.
2. Contributing Factors
This issue can occur in the following releases:
To determine the version of Sun Virtual Desktop Infrastructure Software on a system, the following command can be run:
$ /usr/bin/pkginfo -l SUNWvda-service | grep -i versionNote 2: Only systems which have been setup to use a secure LDAP connection are vulnerable to this issue. To determine if a system has been set up in this way, execute the following command:
# /opt/SUNWvda/sbin/vda directory-show3. Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited.
Unless the LDAP User Directory has an insecure configuration, the Sun VDI 3.0 service will not function.
To work around this issue, anonymous binding should be disabled (using ACLs or other settings, depending on the type of LDAP directory used) on the LDAP directory to prevent the silent fallback to unencrypted connection.
This issue is addressed in the following releases:
For more information on Security Sun Alerts, see 1009886.1.
Sun Virtual Desktop Infrastructure Software 3.0
This solution has no attachment