Note: This is an archival copy of Security Sun Alert 200591 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000453.1.
Article ID : 1000453.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-09-03
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in Sun Cluster Software may Lead to Data Corruption and "send_mondo" Panics



Category
Security

Release Phase
Resolved

Product
Sun Cluster 3.1
Solaris Cluster 3.2

Bug Id
6497075

Date of Workaround Release
24-APR-2007

Date of Resolved Release
31-AUG-2007

Impact

A privileged user on a Sun Cluster node which is a current cluster member may be able to corrupt in-memory data structures of a sibling cluster node. This can lead to a system panic and/or data corruption on the sibling node which can affect application throughput or availability of data or applications to end users depending on how the Sun Cluster is configured and is thus a type of Denial of Service (DoS).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Cluster 3.1 (for Solaris 8) without patch 117950-29
  • Sun Cluster 3.1 (for Solaris 9) without patch 117949-29
  • Sun Cluster 3.1 (for Solaris 10) without patch 120500-14
  • Solaris Cluster 3.2 (for Solaris 9) without patch 126105-01
  • Solaris Cluster 3.2 (for Solaris 10) without patch 126106-01

x86 Platform

  • Sun Cluster 3.1 (Solaris 9) without patch 117909-29
  • Sun Cluster 3.1 (Solaris 10) without patch 120501-14
  • Solaris Cluster 3.2 (Solaris 10) without patch 126107-01

Note 1: Sun Cluster 3.0 is not affected by this issue.

Note 2: Sun Cluster 3.1 is not supported on Solaris 8. Solaris Cluster 3.2 is not supported on the x86 platform for either Solaris 8 or Solaris 9.

Note 3: The Symcli backup software version 6.2.1 which is supplied by EMC may trigger this issue and cause attached cluster nodes to panic or experience data corruption.

Note 4: EMC Symcli backup software is installed under "/opt/emc/SYMCLI". Under this path, a directory is named as the Symcli version.


Symptoms

If the described issue occurs, data corruption and "send_mondo" panics may occur with a stack trace similar to the following:

    genunix:cdev_ioctl()
   did:didioctl()
   specfs:spec_ioctl()
   pxfs:void fobj_ii::cascaded_ioctl ( )
   pxfs:void io_repl_impl::cascaded_ioctl ( )
   cl_comm:void _fs_fobj_cascaded_ioctl_receive()
   cl_comm:void replica_handler::handle_incoming_call()
   cl_comm:void rxdoor::handle_request_common()
   cl_comm:void rxdoor::handle_twoway()
   cl_comm:void recstream::execute() - frame recycled
   cl_comm:void threadpool_worker_t::deferred_task_handler()
   cl_comm:void threadpool::thread_handler()
   cl_comm:cllwpwrapper()
   unix:thread_start()
   ---xxx---
   panic string:   send_mondo_set: timeout

Note: A "Bad Trap" panic could be another symptom for this issue.


Workaround

There is no workaround. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Cluster 3.1 (for Solaris 8) with patch 117950-29 or later
  • Sun Cluster 3.1 (for Solaris 9) with patch 117949-29 or later
  • Sun Cluster 3.1 (for Solaris 10) with patch 120500-14 or later
  • Solaris Cluster 3.2 (for Solaris 9) with patch 126105-01 or later
  • Solaris Cluster 3.2 (for Solaris 10) with patch 126106-01 or later

x86 Platform

  • Sun Cluster 3.1 (Solaris 9) with patch 117909-29 or later
  • Sun Cluster 3.1 (Solaris 10) with patch 120501-14 or later
  • Solaris Cluster 3.2 (Solaris 10) with patch 126107-01 or later


Modification History
Date: 31-AUG-2007
  • State: Resolved
  • Updated Contributing Factors and Resolution sections


References

117949-29
120500-14
117909-29
120501-14
117950-29
126105-01
126106-01
126107-01




Attachments
This solution has no attachment