Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Sun Cluster TCP Port Conflict Denial of Service Vulnerability

Dec 5, 2003 2:07AM PST

Secunia Advisory: SA10369
Release Date: 2003-12-05


Critical: Not critical
Impact: DoS

Where: Local system



Software: Sun Cluster 2.x
Sun Cluster 3.x




Description:
Sun has reported a vulnerability in Sun Cluster, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

Any local user allowed to run a client application, which uses a TCP port, can cause a cluster node to crash by using the same port as the DLM (Distributed Lock Manager).

Sun reports that successful exploitation requires the following:
* The Sun Cluster Oracle OPS/RAC packages ORCLudlm and SUNWudlm are installed
* The Solaris Secure Shell server daemon is running
* The system is configured to enable X11 forwarding

The vulnerability affects the following releases on a SPARC Platform:
* Sun Cluster 2.2 (for Solaris 2.6, Solaris 7, and Solaris Cool
* Sun Cluster 3.0 (for Solaris 8 and Solaris 9)
* Sun Cluster 3.1 (for Solaris 8 and Solaris 9)


Solution:
Grant only trusted users access to affected systems.

Sun Cluster systems should not be used for client applications.

Sun has included various workarounds in the original advisory.


http://www.secunia.com/advisories/10369/

Discussion is locked