You are here

V-199: Solaris Bugs Let Local Users Gain Root Privileges, Remote and Local Users Deny Service, and Remote Users Partially Access and Modify Data

July 17, 2013 - 6:00am

Addthis

PROBLEM:

Multiple vulnerabilities were reported in Solaris

PLATFORM:

Version(s): 8, 9, 10, 11

ABSTRACT:

Multiple vulnerabilities were reported in Solaris

REFERENCE LINKS:

SecurityTracker Alert ID:  1028802
Oracle Critical Patch Update Advisory - July 2013
CVE-2013-3745
CVE-2013-3746
CVE-2013-3748
CVE-2013-3750
CVE-2013-3752
CVE-2013-3753
CVE-2013-3754
CVE-2013-3757
CVE-2013-3765
CVE-2013-3773
CVE-2013-3786
CVE-2013-3787
CVE-2013-3797
CVE-2013-3799
CVE-2013-3813

IMPACT ASSESSMENT:

Medium

DISCUSSION:

A local user can gain root control on the target system. The Kernel/VM [CVE-2013-3750] and Kernel [CVE-2013-3786] components are affected

A remote user can cause denial of service conditions. The Kernel/STREAMS framework [CVE-2013-3753] and Driver/IDM (iSCSI Data Mover) [CVE-2013-3748] components are affected

A remote user can exploit a flaw in the SMF/File Locking Services component to partially modify data and partially deny service [CVE-2013-3757 Solaris NFS]

A remote user can exploit a flaw in the Libraries/PAM-Unix component to partially access and modify data [CVE-2013-3813]

A remote user can exploit a flaw in the Utility/Remote Execution Server(in.rexecd) component to partially access data [CVE-2013-0398]

A remote user can exploit a flaw in the Service Management Facility (SMF) component to partially modify data [CVE-2013-3752]

A remote user can exploit a flaw in the Kernel component to partially deny service [CVE-2013-3787]

A local user can cause denial of service conditions. The Kernel [CVE-2013-3799], Kernel/VM [CVE-2013-3765], and Filesystem/DevFS [CVE-2013-3797] components are affected

A local user can exploit a flaw in the Libraries/Libc component to partially deny service [CVE-2013-3745]

A local user can gain root access on the target Solaris Cluster. The HA for TimesTen [CVE-2013-3754] and Zone Cluster Infrastructure [CVE-2013-3746] components are affected

A remote user can exploit a flaw in the XSCF Control Package (XCP) on SPARC Enterprise M Series Servers to partially deny service [CVE-2013-3773]

IMPACT:

A remote or local user can cause denial of service conditions

A local user can obtain root privileges on the target system

A remote user can partially access and modify data on the target system

SOLUTION:

Vendor recommends applying July Critical Patch Update

Addthis