| Asset ID: |
1-79-1624583.1 |
| Update Date: | 2017-10-11 |
| Keywords: | |
Solution Type
Predictive Self-Healing Sure
Solution
1624583.1
:
Reference Index of CVE IDs and XCP versions (Mx000 Servers)
| Related Items |
- Sun SPARC Enterprise M5000 Server
- Sun SPARC Enterprise M9000-64 Server
- Sun SPARC Enterprise M3000 Server
- Sun SPARC Enterprise M9000-32 Server
- Sun SPARC Enterprise M4000 Server
- Sun SPARC Enterprise M8000 Server
|
| Related Categories |
- PLA-Support>Sun Systems>SPARC>Enterprise>SN-SPARC: Mx000
|
This document provides a non-exhaustive list of CVEs fixed or Not Applicable (N/A) in XCP ... that might be called out by your security scan tool.
In this Document
Applies to:
Sun SPARC Enterprise M9000-32 Server Sun SPARC Enterprise M3000 Server Sun SPARC Enterprise M9000-64 Server Sun SPARC Enterprise M4000 Server Sun SPARC Enterprise M5000 Server SPARC
Purpose
Most of the time, security scan tools are only checking a version string of openssh/openssl/apache to generate a list of possible Common Vulnerabilities and Exposures (CVEs) rather than really testing if the server is impacted by a CVE.
This document provides a non-exhaustive list of CVEs that might be listed by your security scan tool, but are either fixed in XCP or not applicable (N/A).
Scope
Details
For openssh/apache issues, it's always possible to disable ssh (man setssh), disable the apache server (man sethttps) or use packet filters (man setpacketfilters) to avoid a potential security issue.
If you don't find a CVE in the following list, please open a Service Request and we will investigate if your server might be impacted or not by the CVE.
However, note that Oracle treats every security concern as confidential and Oracle Global Customer Support (GCS) is not authorized to make further statements to individual customers. For further information , see the standard update for a security SR at the end of this document.
OpenSSL
| CVE ID |
Description |
Fixed in / Not Applicable |
| CVE-2008-5077 |
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. |
XCP1112 |
| CVE-2008-7270 |
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180. |
XCP1112 |
| CVE-2009-0590 |
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. |
XCP1112 |
| CVE-2009-3245 |
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors. |
XCP1112 |
| CVE-2010-4180 |
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. |
XCP1112 |
| CVE-2010-5107 |
The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. |
XCP1118 |
| CVE-2013-4353 |
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake. |
N/A |
| CVE-2013-6449 |
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. |
N/A (openssl implementation used in XCP does not support TLS 1.2) |
| CVE-2013-6450 |
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c |
N/A (openssl implementation used in XCP does not support DTLS) |
| CVE-2014-0160 (Heartbleed) |
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. |
N/A (see http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html ) |
| CVE-2014-0224 |
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. |
XCP1118 |
| CVE-2014-3566 |
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. |
XCP1119 |
| CVE-2014-3571 |
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c. |
XCP1120 |
| CVE-2013-2566 |
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. |
XCP1121 |
| CVE-2015-1789 |
The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback. |
XCP1121 |
| CVE-2015-1790 |
The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. |
XCP1121 |
| CVE-2015-2808 |
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue. |
XCP1121 |
| CVE-2015-4000 |
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. |
XCP1121 |
OpenSSH
| CVE ID |
Description |
Fixed in / Not Applicable |
|
CVE-2003-0386
|
OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. |
XCP1110 |
| CVE-2003-0682 |
"Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695. |
XCP1110 |
| CVE-2003-0693 |
A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. |
XCP1041 |
| CVE-2003-0695 |
Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693. |
XCP1110 |
| CVE-2003-0787 |
The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges. |
XCP1110 |
| CVE-2004-1653 |
The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS. |
N/A (AllowTcpForwarding is disabled in XCP) |
| CVE-2004-2069 |
sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption). |
XCP1110 |
| CVE-2005-2666 |
SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key. |
XCP1110 |
| CVE-2005-2798 |
sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. |
XCP1110 |
| CVE-2006-0225 |
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. |
XCP1110 |
| CVE-2006-5051 |
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. |
XCP1110 |
| CVE-2006-5052 |
Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort." |
XCP1110 |
| CVE-2007-2243 |
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. |
N/A (ChallengeResponseAuthentication is disabled in XCP) |
| CVE-2007-2768 |
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. |
N/A (one-time password is not used in XCP) |
| CVE-2007-4752 |
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. |
XCP1110 |
| CVE-2008-4109 |
A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051. |
XCP1110 |
| CVE-2008-5161 |
Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors. |
XCP1110 |
| CVE-2010-4478 |
OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. |
N/A (J-PAKE protocol is not used in XCP) |
| CVE-2010-4755 |
The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. |
N/A (XCP is an appliance model, sftp command is not supported) |
| CVE-2011-5000 |
The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant. |
N/A (XCP is not using Kerberos/GSSAPI authentication) |
| CVE-2012-0814 |
The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. |
N/A (No access to filesystem in XCP) |
| CVE-2011-4327 |
ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call. |
XCP1110 |
Apache
| CVE ID |
Description |
Fixed in / Not Applicable |
| CVE-2006-3918 |
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. |
XCP1101 |
| CVE-2007-6203 |
Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918. |
XCP1101 |
|
CVE-2011-3192
|
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. |
XCP1110 |
|
CVE-2012-0053
|
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. |
XCP1118 |
|
CVE-2011-3368
|
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. |
XCP1118 |
|
CVE-2011-4317
|
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. |
XCP1118 |
|
CVE-2013-5704
|
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." |
XCP1120 |
BASH
| CVE ID |
Description |
Fixed in / Not Applicable |
|
CVE-2014-7169
(CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 : all these vulnerabilities referred collectively as CVE-2014-7169)
|
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. |
XCP1118 (see also Doc ID 1940692.1) |
NTP
| CVE ID |
Description |
Fixed in / Not Applicable |
| CVE-2013-5211 |
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. |
N/A (XCP does not respong to monlist request) |
|
CVE-2014-9293
|
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
|
N/A (XCP is not vulnerable to this CVE because of the non-used function or settings) |
|
CVE-2014-9294
|
util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
|
N/A (XCP is not vulnerable to this CVE because of the non-used function or settings) |
|
CVE-2014-9295
|
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.
|
N/A (XCP is not vulnerable to this CVE because of the non-used function or settings) |
|
CVE-2014-9296
|
The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets.
|
N/A (XCP is not vulnerable to this CVE because of the non-used function or settings) |
GLIBC
| CVE ID |
Description |
Fixed in / Not Applicable |
| CVE-2015-0235 |
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST." |
XCP1120 |
LINUX
| CVE ID |
Description |
Fixed in / Not Applicable |
| CVE-2015-3238 |
The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password.
|
XCP1121 |
CVEs created by Oracle
| CVE ID |
Description |
Fixed in / Not Applicable |
| CVE-2011-2299 |
Unspecified vulnerability in Oracle SPARC Enterprise M3000, M4000, M5000, M8000, and M9000 XCP 1101 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to XSCF Control Package (XCP). |
XCP1102 |
| CVE-2012-0548 |
Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 and earlier allows local users to affect confidentiality, related to XSCF Control Package (XCP). |
XCP1111 |
| CVE-2012-1693 |
Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 allows remote attackers to affect availability, related to XSCF Control Package (XCP). |
XCP1111 |
| CVE-2013-3773 |
Unspecified vulnerability in the SPARC Enterprise M Series Servers component in Oracle and Sun Systems Products Suite XCP 1114 and earlier allows remote attackers to affect availability via vectors related to XSCF Control Package (XCP). |
XCP1115 |
Standard Security SR Response
"Thank you for logging this issue with Oracle Global Customer Support (GCS).
This issue has been passed to Oracle's Global Product Security organization for assessment.
Once passed to the corporate security organization, the issue is treated as confidential and GCS is not authorized to make further statements to individual Customers about the issue, or to publish articles disclosing the substantive nature of the vulnerability, or otherwise to disclose the plans for or current status of any fix.
Only Oracle's Global Product Security organization is authorized to comment on these security issues, and typically Oracle Global Product Security will only issue communications through Critical Patch Update (CPU) announcements.
We believe the most effective way to protect all customers is to avoid discussing, disclosing or publicizing vulnerabilities. Our first priority in this process is to reduce and manage the risk to the entire Customer base of product security vulnerabilities.
When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems. Oracle's policy is to fix security vulnerabilities in severity order -- higher severity vulnerabilities are fixed as a priority over lower severity vulnerabilities.
Oracle encourages our customers to contact us as soon as they suspect security vulnerabilities. Oracle strongly advises all Customers to apply CPU releases promptly, to ensure they have the most up-to-date protection from product security vulnerabilities.
More information on Oracle's security policy for vulnerability handling can be found by clicking on "Security Vulnerability Fixing Policy and Process" at http://www.oracle.com/technetwork/topics/security/learnmore/index.html
More information on the CPU program can be found here: http://www.oracle.com/technology/deploy/security/alerts.htm
Thank you."
Rules
- SRs opened against one of the CVE listed in the public section should not be transfered to the security group.
- SRs opened against one of the CVE listed in the Internal Only section or against a not listed CVE MUST be transfered to the security group (Option 5) + email benoit.baguette@oracle.com and daniel.ellison@oracle.com to let them know that you have transfered a SR to the security group.
- Do not communicate anything to the customer regarding CVEs which are not listed in the public section (Do not acknowledge that they might be impacted by the CVE).
OpenSSH versions (!!! Internal Only, do NOT communicate versions to customers !!!)
| XCP |
OpenSSH |
| <1110 |
v3.6.1p2 (+ patches) |
| 1110 and greater |
v5.0p1 (+ patches) |
OpenSSL version (!!! Internal Only, do NOT communicate versions to customers !!!)
OpenSSL version is a patched version of 0.9.7.f ... which means that fixes included in versions > 0.9.7.f may be included in the version used in the current XCP. In other words, don't pay attention to the OpenSSL version and check the list of known CVEs fixed in the above table.
Apache version (!!! Internal Only, do NOT communicate versions to customers !!!)
The current apache version is :
XSCF> /usr/sbin/httpd -V
Server version: Apache/2.2.15 (Unix)
Server built: Aug 20 2010 17:47:51
Current Known issues (!!! Internal Only, do NOT communicate versions to customers !!!)
| CVE ID |
Description |
Bug# |
| CVE-2004-2761 |
The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate. |
18517061
16011251
21770247
|
|
CVE-2011-3389 (BEAST)
|
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
|
22213945
|
| CVE-2013-0169 |
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and
1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not
properly consider timing side-channel attacks on a MAC check requirement
during the processing of malformed CBC padding, which allows remote attackers
to conduct distinguishing attacks and plaintext-recovery attacks via
statistical analysis of timing data for crafted packets, aka the "Lucky
Thirteen" issue |
22316798 |
| CVE-2008-3259 |
OpenSSH before 5.1 sets the SO_REUSEADDR socket option when
the X11UseLocalhost configuration setting is disabled, which allows local
users on some platforms to hijack the X11 forwarding port via a bind to a
single IP address, as demonstrated on the HP-UX platform. |
22316803 |
| CVE-1999-0524 |
ICMP information such as (1) netmask and (2) timestamp is
allowed from arbitrary hosts. |
22316804 ... CLOSED: Acceptable behavior (CVSS score:0) |
| CVE-2005-3119 and CVE-2005-3181 |
|
23275946 ... CLOSED : XCP not impacted |
| TLS 1.2 support |
|
Bug# 23760937 |
Attachments
This solution has no attachment
|
