A Security Vulnerability in the ASN.1 Handling in Solaris OpenSSL May Lead to a Denial of Service (DoS) Condition |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | 6824175
|
| Product : | Solaris 10 Operating System
OpenSolaris
|
| Date of Workaround Release : | 29-Apr-2009
|
| Date of Resolved Release : | 08-Jun-2009
|
A Security Vulnerability in the ASN.1 Handling in Solaris OpenSSL May Lead to a Denial of Service (DoS) Condition
1. Impact
A security vulnerability in the ASN.1 handling in the OpenSSL product
(see openssl(5)) shipped with Solaris may allow a local or remote
unprivileged user to cause a Denial of Service (DoS) to applications
calling the "ASN1_STRING_print_ex()" printing function.
Additional information regarding this issue can be found in the
following document:
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform:
- Solaris 10 without patch 141742-01
- OpenSolaris based upon builds snv_01 through snv_112
x86 Platform:
- Solaris 10 without patch 140119-07
- OpenSolaris based upon builds snv_01 through snv_112
Notes: 1. Solaris 8 and Solaris 9
are not impacted by this issue.
2. Any OpenSSL application
which prints out the contents of a certificate could be affected by
this bug, including SSL servers, clients and S/MIME software. For
example: commands such as openssl(1) and servers such as PostgreSQL are
known to be vulnerable to this issue.
3. Solaris Secure Shell (SSH), Firefox and Thunderbird distributed with Solaris are not vulnerable to this issue.
OpenSolaris distributions may include additional bug fixes above and
beyond the build from which it was derived. The base build can be
derived as follows:
$ uname -v
snv_101
3. Symptoms
There are no predictable symptoms that would indicate the described
vulnerability has been exploited.
4. Workaround
There is no workaround for this issue. Please see the Resolution section below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform:
- Solaris 10 with patch 141742-01 or later
- OpenSolaris based upon builds snv_113 or later
x86 Platform:
- Solaris 10 with patch 140119-07 or later
- OpenSolaris based upon builds snv_113 or later
For
more information on
Security Sun Alerts, see Technical
Instruction
ID 213557.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun
Microsystems,
Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Modification History04-May-2009: Added additional "Notes" to Contributing Factors
08-Jun-2009: Updated Contributing Factors and Resolution sections; Resolved
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
