The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Multiple vulnerabilities in NTP

Ritwik Ghoshal
Senior Principal Security Analyst
CVE Description CVSSv2 Base Score Component Product Resolution
CVE-2014-9295 Buffer Error vulnerability
CVE-2014-9296 Coding Error vulnerability
7.5 NTP V4 Solaris 11.2
Solaris 11.1 IDR1583.2
Solaris 10 SPARC: 143725-05 X86: 143726-05
NTP V3 Solaris 10 SPARC: 148881-03 X86: 148882-03

Please log a support request via My Oracle Support to get access to the IDRs.

Latest version of NTP shipped with Solaris 10 and Solaris 11.2 is not impacted by CVE-2014-9293 and CVE-2014-9294.

Please upgrade to Solaris 11.1 SRU 13.6 to install the Solaris 11.1 IDR.

NTP service on Solaris 10 needs to be restarted for the patches to take effect. You can restart the daemon by using
# svcadm restart ntp (for NTPv3) or # svcadm restart ntp4 (for NTPv4)

NTPv3 is not vulnerable to CVE-2014-9296.

Please see http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities for workaround instructions.

This notification describes vulnerabilities fixed in third-party components that are included in Oracle's product distributions.
Information about vulnerabilities affecting Oracle products can be found on Oracle Critical Patch Updates and Security Alerts page.

Join the discussion

Comments ( 2 )
  • guest Thursday, February 26, 2015

    NTPv3 is not affected by CVE-2014-9296.
    If acceptable, could you add following comment to this blog.

    CVE-2014-9296 affects only NTPv4.
    NTPv3 is not vulnerable to CVE-2014-9296.

  • Ritwik Ghoshal Thursday, February 26, 2015

    I have added a new note: "NTPv3 is not vulnerable to CVE-2014-9296."


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.