Note: This is an archival copy of Security Sun Alert 200013 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000010.1. |
Category Security Release Phase Resolved Sun Cluster 3.1 Bug Id 5076947 Date of Resolved Release 29-MAR-2006 Impact A local user who has been granted the "solaris.cluster.gui" authorization may be able to view files which would normally be inaccessible to that user due to a security vulnerability in the Sun Cluster SunPlex Manager GUI. Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Notes:
To determine if Sun Cluster 3.1 4/04 is installed on a system, the following command can be run: $ /usr/cluster/bin/scinstall -p | grep 3.1u2 3.1u2 If the system returns 3.1u2 (as in the example above), then it is impacted by this issue. To determine if a local user has been granted the "solaris.cluster.gui" the auths(1) command can be used, as in the following example: $ auths username solaris.system.date,solaris.cluster.gui Symptoms There are no predictable symptoms that would indicate the described issue has occurred. Workaround To work around the described issue, temporarily disable SunPlex Manager by running the script as shown below (as 'root'): # /etc/init.d/initspm stop Note: Disabling this service will mean that users will be unable to administer the Sun Cluster software using the SunPlex Manager Software. Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Note: It is necessary to install or upgrade to Sun Cluster 3.1 9/04 or later. Attachments This solution has no attachment |
|