DescriptionThis is a reference document for security Sun Alerts. This document explains in detail the various sections of a security Sun Alert, security vulnerability related terminology and Sun's response to internal and external vulnerability reports.
Steps to FollowSun Security Alerts
Introduction
Security Sun Alerts are bulletins published for security
vulnerabilities affecting Sun products. Security Sun Alerts
describe in detail a summary of the vulnerability, factors
contributing to the issue, symptoms that would help users detect if
the described issue has been encountered, any relief or work around
that may alleviate or prevent the issue and the resolutions
available in the form of patches or Updates that fix the security
vulnerabilities.
Security Sun Alerts and security patches are available free of
cost to all customers and users of Sun's products. These resources
may be accessed via the Sunsolve portal at http://sunsolve.sun.com/.
Sun believes in responsible security vulnerability disclosure
and works with reporters of security vulnerabilities in
coordinating the public disclosure of reported issues. It is Sun's
policy to address security vulnerabilities in all affected releases
of the vulnerable products. In the case of privately reported
vulnerabilities the security Sun Alert would be published once the
issue is resolved in all affected and supported releases.
Security vulnerabilities are assigned the highest priority in
Sun's bug tracking system in order to address the issues as quickly
as possible. Reporters of security vulnerabilities will be
periodically updated at various stages of the root cause analysis,
bug fix and patch verification stages.
Security patches and Updates normally go through a System Test
and Performance QA Test cycle (See < Solution: 213019 > for more information) in order to verify fixes, test for
regressions, and check that there isn't a serious performance
impact. Some of Sun's products have Update release cycles that
govern the date when a coordinated security vulnerability can be
made public. Sun Alerts for such issues will be published along
with the Update releases.
Preliminary and
Workaround Sun Alerts
In cases where there has been a public announcement of a
security vulnerability in a Sun product and Sun does not have a
final resolution for all affected products, Sun publishes a
Preliminary or a Workaround Sun Alert describing the impact, the
contributing factors and work around (if available) for the
described issue(s). In addition, temporary or interim fixes for an
issue(s) will be made available where possible. The Sun Alert will
be updated whenever resolution data is available such as patches or
Updates being released.
Security Sun
Alert fields
1.
Impact
This section describes in sufficient detail the potential impact
of the vulnerability on the users' computing environment. The
Impact section answers the question "What
could happen if I ignore this "
Commonly used terminology in the 'Impact' section includes:
-
Local User:
A vulnerability
exploitable only by a local user requires the user to have either
physical access to the vulnerable system or a local (shell)
account. Examples of locally exploitable vulnerabilities are
peripheral attacks such as Firewire/USB DMA attacks, and local
privilege escalations.
[Source: CVSS v2 Documentation:
http://www.first.org/cvss/cvss-guide.html]
-
Remote User:
A vulnerability
exploitable by a remote user means the vulnerable software is bound
to the network stack and the user does not require local network
access or local access. Such a vulnerability is often termed
"remotely exploitable". An example of such a vulnerability is
an RPC buffer overflow.
[Source: CVSS v2 Documentation:
http://www.first.org/cvss/cvss-guide.html]
-
Denial of Service (DoS):
A
security vulnerability may lead to a Denial of Service to a system
if it renders the affected host unresponsive to user input and
prevents remote users from accessing services on the host.
Likewise, a Denial of Service to a particular service means that
the vulnerability renders only the particular service unresponsive
to all users while the rest of the system may be active.
-
System Panic:
A system panic,
induced by an unprivileged user, is a type of Denial of Service to
the whole system, consisting of an unexpected reset (or reboot) of
the system. This causes users of the system to potentially lose or
corrupt any unsaved data. Remote users would be disconnected and
would have to reestablish their connections. All processes running
on the system would terminate immediately and an improper file
system shutdown may result. A system panic may not guarantee that
the system will come up without user intervention after the
reboot.
-
Execution of arbitrary code:
A
vulnerability leading to execution of arbitrary code means that the
local or remote user exploiting the security issue may cause
unintended code to execute with the privileges of the user
executing the affected application, or with the privileges of the
application being compromised.
Man page references are provided in the Impact section where
possible, with the name of the page followed by it's category in
parentheses (for example: ls(1), kadmind(1M) and so on).
Several factors play roles in exploiting security
vulnerabilities. Sun therefore does not use definite terminology
such as "will" (for example, "... will lead to a Denial of Service
condition" or "... will lead to escalation of privileges as
root..."), "can" and "must". Most Sun Alert 'Impact' statements use
the word "may" to describe the consequence of a security issue (for
example, "... may lead to a Denial of Service condition"). The
Impact section of the Sun Alert will not include exploit
information or ways to reproduce the vulnerability.
The Impact section also includes references to the Common
Vulnerabilities and Exposures (CVE) entries and CERT Vulnerability
Notes where available. If the Sun Alert describes an issue
coordinated with an external organization, a URL pointing to the
security bulletin posted by the reporting institution will be added
to the Sun Alert.
Sun does not publish severity ratings or scores in security Sun
Alerts. Security vulnerabilities pose varying degrees of threat to
customers or users depending on their computing environment. A
single numerical or verbal score for a security issue may hence
mislead a user into either overrating or undervaluing the described
security vulnerability in his or her environment. Sun encourages
users to peruse Sun Alerts and use the information provided to
evaluate the risk of the security issue(s) in their
environment.
Sun encourages responsible disclosure of security
vulnerabilities by attributing credit to reporters of security
issues who work with Sun in the vulnerability coordination process.
Sun Alerts for these externally coordinated issues carry an
acknowledgment text thanking the reporters for their
contributions.
2. Contributing
Factors
While the Impact section describes what can happen if an issue
is exploited, the Contributing Factors section lists the
information that determines whether an issue is exploitable on a
given system. The information in this section can therefore be used
to evaluate whether action needs to be taken for a given
system.
The Contributing Factors section lists all supported Sun
products affected by the described vulnerability and for all of
these products a resolution will either be available or will be
made available in the future. This section also includes
information on the patch, Upgrade or firmware revision numbers for
the affected products. Sun provides remedial support to products
for a period of two years after they have reached the End of
Life (EOL) stage. Only those products that are currently in the
active support stage (which includes the two year period after the
initial EOL announcement) will be mentioned in the Sun Alert.
The Contributing Factors section provides answers the question
"Am I at risk ".
Instructions describing how to identify vulnerable systems
via system commands and configuration files are typically included.
For example, if a specific system configuration setting causes the
system to be vulnerable then a method for determining if the
setting was configured would be supplied.
3.
Symptoms
Sun's products have extensive built in auditing and diagnostic
capabilities. Users may use these tools and commands to observe
certain system behavior or postmortem artifacts to determine that
the described issue has been exploited.
The 'Symptoms' section explains in detail how to detect and
verify that the described issue has occurred. This includes error
messages, panic strings or stack traces where the errors can be
seen or inferred.
Any information that may make it easy for a malicious user to
reproduce the issue will not be included in this section. Technical
root causes will not be discussed in the 'Symptoms' section.
4.
Relief/Workaround
This section lists recovery steps a user may employ when the
described issue occurs or preemptive action that can be taken to
prevent the issue from being exploited. If a user configurable and
supportable workaround is available, step-by-step instructions are
provided so that the user may prevent the vulnerabilities from
being exploited before the resolution can be applied to the system.
For example if a specific system setting would make an issue
unexploitable, this section would provide instructions on how to
activate that setting. In the case of Sun Alerts where Workaround
is checked in the Avoidance section, these relief instructions/work
around help customers to temporarily prevent the vulnerabilities
until Sun releases the patches or update for the issue. Any
impact and possible negative effect that may occur by deploying the
workaround will be mentioned in this section.
For security issues which are public before the resolution
patches have completed their testing and release process, Sun may
make the pre-release patch available via a special web page.
In such cases the pre-release patch is referred to as a T-patch.
Once the patch completes it's test processes it will be moved to
full release status and appear in the regular patch collection on
SunSolve. Customers who install such T-patches should not remove
the T-patch and install the released patch version once it is
available. The only difference between the T-patch and the released
patch is the README which will have undergone reformatting and may
contain corrections.
If an issue becomes public before Sun has created T-patches, Sun
may publish an emergency Interim Security Relief (ISR). An ISR is
an IDR (Interim Diagnostics or Relief) that addresses a security
issue. More information about IDRs is available at http://sunsolve.sun.com/show.do target=IDR
5.
Resolution
The Resolution section lists all officially released patches,
Updates, and publicly available solutions to the security issues.
All impacted products mentioned in the Contributing Factors section
will be addressed here before the Sun Alert is considered Resolved.
In the case of Preliminary or Workaround Sun Alerts, the
Resolution section typically contains no patches (or Updates) or a
partial list of solutions. Once all resolution patches or Updates
are available, the Sun Alert is marked Resolved.
ProductSunSolve 5
AttachmentsThis solution has no attachment