Tuesday Jun 02, 2009

CommunityOne Secure Programming slides

The slides and other supporting material from Scott Rotondo's CommunityOne talk on Secure Programming are now available from the OpenSolaris security community library pages. The talk includes how OpenSolaris uses lint extensions to detect problems using static analysis at build time as well as a new tool from Sun Labs called Parfait.

- Darren

Sunday May 31, 2009

Sun Security Toolkit (aka SST, aka JASS) now on OpenSolaris

The Sun Security Toolkit (SST), also known as JASS: "Jumpstart Architecture and Security Scripts", is now open source under the CCDL license. It is being hosted on OpenSolaris under the project name sst


- Darren

Friday Dec 05, 2008

Sun Response to M-Class Server Denial of Service (DoS) Report

An apparent Denial of Service (DoS) issue relating to Sun M-class servers
was reported by three OpenBSD developers to the Full-Disclosure mailing


The issue as described relates that the OpenBSD/sparc64 kernel can trigger
a fault which causes the dynamic domain of a Sun M-class server to power
down. Sun has investigated this issue and would like to provide the
following details to help clarify the impact as well as the contributing

  • This issue applies to Sun SPARC Enterprise M4000 Servers and Sun
    SPARC Enterprise M5000 Servers only.
  • This issue does not apply to the above systems when Solaris is
  • This issue is seen with OpenBSD/sparc64 due to a device driver and
    thus can not be triggered by an unprivileged user.
  • The OpenBSD/sparc64 device driver causes a hardware fault to occur
    and since the dynamic domains in Sun SPARC Enterprise M4000 and
    M5000 servers share major hardware components the hardware fault
    causes the M-class server processor to shut down the entire platform.
  • The Sun SPARC Enterprise M4000 and M5000 servers are cold service
    systems and thus to clear a hardware fault the system must be powered

Monday Sep 22, 2008

Denial of Service (DoS) issue reported in Sun SPARC Enterprise M4000 running OpenBSD

Sun is aware of a Denial of Service (DoS) issue in the Sun SPARC Enterprise M4000 server running OpenBSD. This issue could
lead to a hardware failure in one domain that may affect other running domains on the system, thereby requiring complete
power cycle of the hardware to recover from. Sun acknowledges Theo de Raadt of openbsd.org for bringing the issue to our

Sun has been in contact with the reporters of the issue and is currently investigating to fully understand the root cause,
its impact and to find a resolution. Sun will provide additional information as soon as it becomes available.

Security vulnerabilities or potential security issues in any Sun product may be reported via email to
security {dash} alert {at} sun.com. It is recommended to encrypt all sensitive emails with the Sun Security Coordination Team's PGP key.
More details can be found here

Monday Sep 15, 2008

Update JDK in Sun Java System Application Server

The Sun Java System Application Server versions 8.1, 9.0 and 9.1 bundle
the Java SE Development Kit (JDK) 1.5.0. Sun has recently published JDK

1.5.0_16, which is an Update to JDK 1.5.0, addressing multiple security
vulnerabilities as listed in the following Sun Alerts:

Sun Alert 238628 available here

Sun Alert 238905 available here

Sun Alert 238965 available here

Sun Alert 238966 available here

Sun Alert 238967 available here

Sun Alert 238968 available here

All users of Sun Java System Application Server should apply the patches
listed in these Sun Alerts or upgrade the JDK to JDK 1.5.0_16 which is

available at


Tuesday Jul 22, 2008

Solaris 10 11/06 achives Common Criteria EAL4+ CAPP/RBACPP/LSPP

Solaris 10 11/06 now has a Common Criteria EAL4+ certification for CAPP/RBACPP/LSPP. For full details see the press release. Details of all Solaris Common Criteria certifications are available on the security certifications page.

- Darren

Monday May 19, 2008

Sun UK End to End Data Security briefing

Sun UK is running a morning briefing on End to End to Security. The event is on Thursday 5th June in the London Customer Briefing Center (for LOSUG people this is the same place we meet). Details and registration information can be found here. Dave Walker and I are among the speakers.

-- Darren

Tuesday Nov 06, 2007

Reference document for security Sun Alerts

The Sun Security Coordination Team has published a reference document for security Sun Alerts at:


This document includes information on Preliminary and Workaround Sun Alerts, various sections in the body of a Sun Alert, definitions of frequently used vulnerability related terminology (such as 'local user', 'remote user', 'execution of arbitrary code' and so on) and a brief summary of Sun's response to security vulnerability reports.

Thursday Sep 06, 2007

Beginning of the End for separate Solaris Data Encryption Kit (SUNWcry)

The removal of the Solaris Data Encryption Kit has been quite a difficult and long process for us, we are taking a different approach for Solaris 10 and for OpenSolaris. Valerie Bubb has info on how it has been done for Solaris 10 and is also currently running codereview for the OpenSolaris variant which is the full fix for this. - Darren

Friday Aug 17, 2007

Trusted Extensions admin scripts, offered to opensolaris.org

As just emailed to the fine folk on security-discuss-AT-opensolaris-DOT-org:

Hi Everyone,

I will shortly have a working set of scripts to assist in the configuration and administration of Trusted Extensions (TX) systems as another element of the "TX-Ranger" initiative, which I've blogged about a little at http://blogs.sun.com/davew/entry/building_tx_ranger.

The idea driving TX-Ranger is to make TXs much easier to set up, play with, hack on, test software with and evaluate in a development environment than it currently is. TX is stunning technology, applicable to far more environments than those in which I see it currently being considered, and it would be a huge shame if its adoption was hampered by a lack of a few tools to make setting it up a straightforward exercise. I want to "make the world a more labelled place", so the easier it is for folk to flex TX's muscles for their purposes, the wider I'll grin :-).

While Trusted Solaris 8 found an almost exclusive home in Defence and Intelligence environments, changes in legislation and configuration mean that Trusted Extensions is far more applicable to today's academic and commercial world. Although the default set of labels (in /etc/security/tsol/label_encodings) reflects this, many organisations (and users) which don't traditionally do data classification could still benefit enormously from it simply by having two labels of "Internet" and "Internal", and allowing data to be written up from "Internet" but not down to it, thus preventing most types of data leak.

Glenn Faden already has some nifty tools for his "safe browsing" environment posted at http://blogs.sun.com/gfaden/entry/ want_to_try_safe_browsing, but this still requires having the base TX system configured correctly.

The TX-Ranger scripts automate much of the current manual effort required to configure a TX environment. While I've been made aware that some prototype Jumpstart tools exist for TX configuration, I have been careful not to examine them as their Open status is not currently guaranteed. The author of the TX-Ranger scripts being offered, Jeff Turner of Context-Switch, has kindly agreed that they can be released to opensolaris.org under a CDDL licence.

Among other things, these scripts (and attendant TX configuration files) will reduce the administrative work needed to set up a new label compartment element, to:

assign-compartment <name> <name presented in list by previous command>

...which is rather more straightforward than the current need to manually modify label_encodings and either put hex-containing strings into tnrhtp or do much mouse-shuffling around the Solaris Management console.

Also, once a label exists, actually making it function currently involves assigning it to a zone, potentially assigning it its own physical interface with zonecfg, cloning the zone, tweaking the zone's config to give it an appropriate IP address, etc. While the elegant little txzonemgr GUI tool makes some of this easier than it sounds, it's still not as easy as:

activate-label <label> <physical interface> <IP addr>

...which is how one of the TX-Ranger scripts is driven :-).

I'd love to hear about how I can best share this material with the OpenSolaris security community.

"The future's bright, the future's labelled" :-).


Dave Walker
Client Solutions, Sun Microsystems UK
Tel: +44 780 3079264


This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« July 2016