X

The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Sun Alert 102759 Security Vulnerabilities in OpenSSL Affect Solaris WAN Boot

Guest Author
Product: Solaris 9 Operating System, Solaris 10 Operating System

Multiple vulnerabilities in the OpenSSL product impact the Solaris WAN boot software.

An RSA signature forgery vulnerability may allow an untrusted server or client to present a forged identity to the other party during remote software installation when SSL is in use with certain types of certificates. This would allow the security restrictions of that SSL configuration to be circumvented.

Additionally, security vulnerabilities in the ASN.1 parser implementation and public key handling in the OpenSSL library may allow a user who is running a client system that is able to connect to a WAN Boot installation server to cause a Denial Of Service (DoS) to that server. This could prevent the server from providing service to WAN Boot clients. Clients connecting to an untrusted server may also be impacted by this issue.

Note that the WAN Boot software uses a static version of the OpenSSL libraries, meaning that the Solaris 10 resolution for Sun Alert 102744, which corrects applications dynamically linking to the Solaris OpenSSL libraries, is not sufficient to resolve this issue for the WAN Boot software. This Sun Alert will describe the full impact and resolution for the WAN Boot software.

These issues are also described in the following documents:

CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620

CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

http://www.openssl.org/news/secadv_20060928.txt

CVE-2006-2937 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937

CVE-2006-2940 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940

Note: This Sun Alert is specific to the Solaris WAN Boot software. Multiple Sun products are affected by the RSA signature forgery issue; for more details please see Sun Alert 102648 at

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1

Avoidance: Patch, Workaround
State: Resolved
First released: 22-Dec-2006

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.