Category
Security
Release Phase
Resolved
Bug Id
6880209
Date of Resolved Release
03-Nov-2009
1. Impact
A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0
authentication mechanism may
allow remote unprivileged users to gain unauthorized access to the
VirtualBox web service.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun VDI Software 3.0 (for Solaris 10) without patch 141481-03 and
using VirtualBox 2.0.8 or 2.0.10
x86 Platform
- Sun VDI Software 3.0 (for Solaris 10) without patch 141482-03 and
using VirtualBox 2.0.8 or 2.0.10
Note 1: Sun VDI 2.0 does not provide integration with
VirtualBox and therefore is not impacted by this issue.
To determine the version of Sun VDI Software on a system, the following
command can be run:
$ pkgparam SUNWvda-service VERSION
3.0_71,REV=2009.03.11.11.27
Note 2: This issue is only present in Sun VDI 3.0
configurations using VirtualBox desktop providers.
To determine the type of desktop providers configured for Sun VDI 3.0,
the following command can be run:
# /opt/SUNWvda/sbin/vda provider-list | grep -i VirtualBox
<ProviderName> Sun VirtualBox 5 0 1% (155 MHz) 13% (2.2 GB) 0% (16.1 GB)
Note 3: This issue is only present for VirtualBox version
2.0.8 and 2.0.10 for Sun VDI.
To determine the version of VirtualBox on a system, the following
command can be run:
$ pkgparam SUNWvbox VERSION
2.0.10,REV=r50334.2009.07.21.16.12
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
Access from hosts/IPs other than Sun VDI 3.0 core servers in the
Apache2 access log
(/var/apache2/logs/access_log) may indicate an unauthorized user.
4. Workaround
To work around the described issue, firewall rules may be configured
on the VirtualBox hosts to allow
connections only from the VDI core servers. See the firewall product
documentation for more information
on how to configure firewall rules.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun VDI Software 3.0 (for Solaris 10) with patch 141481-03 or
later and with VirtualBox 2.0.12 or later
x86 Platform
- Sun VDI Software 3.0 (for Solaris 10) with patch 141482-03 or
later and with VirtualBox 2.0.12 or later.
Note: VirtualBox 2.0.12 is required to address the issue
described, and may be
downloaded from the following URL:
http://www.sun.com/software/vdi/get.jsp
Click on the "Download" button in the "Download Sun VDI Software 3"
section.
VirtualBox 2.0.12 should be installed after applying the Sun VDI 3.0
patch (141481-03 or 141482-03).
For more information on Security Sun Alerts, see
1009886.1
Product
Sun Virtual Desktop Infrastructure Software 3.0
References
141481-03
141482-03
References
SUNPATCH:141481-03
SUNPATCH:141482-03
AttachmentsThis solution has no attachment