This is a reference document for security Sun Alerts.  This document explains in detail the various sections of a security Sun Alert, security vulnerability related terminology and Sun's response to internal and external vulnerability reports.

Sun Security Alerts

Introduction

Security Sun Alerts are bulletins published for security vulnerabilities affecting Sun products. Security Sun Alerts describe in detail a summary of the vulnerability, factors contributing to the issue, symptoms that would help users detect if the described issue has been encountered, any relief or work around that may alleviate or prevent the issue and the resolutions available in the form of patches or Updates that fix the security vulnerabilities.

Security Sun Alerts and security patches are available free of cost to all customers and users of Sun's products. These resources may be accessed via the Sunsolve portal at http://sunsolve.sun.com/.

Sun believes in responsible security vulnerability disclosure and works with reporters of security vulnerabilities in coordinating the public disclosure of reported issues. It is Sun's policy to address security vulnerabilities in all affected releases of the vulnerable products. In the case of privately reported vulnerabilities the security Sun Alert would be published once the issue is resolved in all affected and supported releases.

Security vulnerabilities are assigned the highest priority in Sun's bug tracking system in order to address the issues as quickly as possible.  Reporters of security vulnerabilities will be periodically updated at various stages of the root cause analysis, bug fix and patch verification stages.

Security patches and Updates normally go through a System Test and Performance QA Test cycle (See < Solution: 213019 > for more information) in order to verify fixes, test for regressions, and check that there isn't a serious performance impact. Some of Sun's products have Update release cycles that govern the date when a coordinated security vulnerability can be made public. Sun Alerts for such issues will be published along with the Update releases.

Preliminary and Workaround Sun Alerts

In cases where there has been a public announcement of a security vulnerability in a Sun product and Sun does not have a final resolution for all affected products, Sun publishes a Preliminary or a Workaround Sun Alert describing the impact, the contributing factors and work around (if available) for the described issue(s). In addition, temporary or interim fixes for an issue(s) will be made available where possible. The Sun Alert will be updated whenever resolution data is available such as patches or Updates being released.

Security Sun Alert fields

1. Impact

This section describes in sufficient detail the potential impact of the vulnerability on the users' computing environment. The Impact section answers the question "What could happen if I ignore this "

Commonly used terminology in the 'Impact' section includes:

Man page references are provided in the Impact section where possible, with the name of the page followed by it's category in parentheses (for example: ls(1), kadmind(1M) and so on).

Several factors play roles in exploiting security vulnerabilities. Sun therefore does not use definite terminology such as "will" (for example, "... will lead to a Denial of Service condition" or "... will lead to escalation of privileges as root..."), "can" and "must". Most Sun Alert 'Impact' statements use the word "may" to describe the consequence of a security issue (for example, "... may lead to a Denial of Service condition"). The Impact section of the Sun Alert will not include exploit information or ways to reproduce the vulnerability.

The Impact section also includes references to the Common Vulnerabilities and Exposures (CVE) entries and CERT Vulnerability Notes where available. If the Sun Alert describes an issue coordinated with an external organization, a URL pointing to the security bulletin posted by the reporting institution will be added to the Sun Alert.

Sun does not publish severity ratings or scores in security Sun Alerts. Security vulnerabilities pose varying degrees of threat to customers or users depending on their computing environment. A single numerical or verbal score for a security issue may hence mislead a user into either overrating or undervaluing the described security vulnerability in his or her environment. Sun encourages users to peruse Sun Alerts and use the information provided to evaluate the risk of the security issue(s) in their environment.

Sun encourages responsible disclosure of security vulnerabilities by attributing credit to reporters of security issues who work with Sun in the vulnerability coordination process. Sun Alerts for these externally coordinated issues carry an acknowledgment text thanking the reporters for their contributions.

2. Contributing Factors

While the Impact section describes what can happen if an issue is exploited, the Contributing Factors section lists the information that determines whether an issue is exploitable on a given system. The information in this section can therefore be used to evaluate whether action needs to be taken for a given system.

The Contributing Factors section lists all supported Sun products affected by the described vulnerability and for all of these products a resolution will either be available or will be made available in the future. This section also includes information on the patch, Upgrade or firmware revision numbers for the affected products. Sun provides remedial support to products for a  period of two years after they have reached the End of Life (EOL) stage. Only those products that are currently in the active support stage (which includes the two year period after the initial EOL announcement) will be mentioned in the Sun Alert.

The Contributing Factors section provides answers the question "Am I at risk ".  Instructions describing how to identify vulnerable systems via system commands and configuration files are typically included. For example, if a specific system configuration setting causes the system to be vulnerable then a method for determining if the setting was configured would be supplied.

3. Symptoms

Sun's products have extensive built in auditing and diagnostic capabilities. Users may use these tools and commands to observe certain system behavior or postmortem artifacts to determine that the described issue has been exploited.

The 'Symptoms' section explains in detail how to detect and verify that the described issue has occurred. This includes error messages, panic strings or stack traces where the errors can be seen or inferred.  

Any information that may make it easy for a malicious user to reproduce the issue will not be included in this section. Technical root causes will not be discussed in the 'Symptoms' section.

4. Relief/Workaround

This section lists recovery steps a user may employ when the described issue occurs or preemptive action that can be taken to prevent the issue from being exploited. If a user configurable and supportable workaround is available, step-by-step instructions are provided so that the user may prevent the vulnerabilities from being exploited before the resolution can be applied to the system. For example if a specific system setting would make an issue unexploitable, this section would provide instructions on how to activate that setting. In the case of Sun Alerts where Workaround is checked in the Avoidance section, these relief instructions/work around help customers to temporarily prevent the vulnerabilities until Sun releases the patches or update for the issue.  Any impact and possible negative effect that may occur by deploying the workaround will be mentioned in this section.

For security issues which are public before the resolution patches have completed their testing and release process, Sun may make the pre-release patch available via a special  web page. In such cases the pre-release patch is referred to as a T-patch. Once the patch completes it's test processes it will be moved to full release status and appear in the regular patch collection on SunSolve. Customers who install such T-patches should not remove the T-patch and install the released patch version once it is available. The only difference between the T-patch and the released patch is the README which will have undergone reformatting and may contain corrections.

If an issue becomes public before Sun has created T-patches, Sun may publish an emergency Interim Security Relief (ISR). An ISR is an IDR (Interim Diagnostics or Relief) that addresses a security issue. More information about IDRs is available at http://sunsolve.sun.com/show.do target=IDR

5. Resolution

The Resolution section lists all officially released patches, Updates, and publicly available solutions to the security issues. All impacted products mentioned in the Contributing Factors section will be addressed here before the Sun Alert is considered Resolved.  In the case of Preliminary or Workaround Sun Alerts, the Resolution section typically contains no patches (or Updates) or a partial list of solutions. Once all resolution patches or Updates are available, the Sun Alert is marked Resolved.

SunSolve 5

This solution has no attachment