CERT-MU Vulnerability Note VN-2008-7

Vulnerability in the Solaris sendfilev() system call

Original Issue Date: September 03, 2008

Severity Rating: Low

Systems Affected

• Solaris 10
• OpenSolaris based upon builds snv_01 through snv_95

Overview

A vulnerability has been reported in Sun Solaris sendfilev() system call that may allow local malicious user to cause Denial of Service.

Description

sendfilev() is a system call in solaris10. A vulnerability exists in Sun Solaris, sendfilev() system call. This may allow a local user may bring the device in panic by creating a carefully crafted web-page, if Apache 2.2x is running on Solaris 10. Such attempt may leads to DoS attack.

Solution

Apply appropriate patches as suggested by vendor

• SPARC Platform
• Solaris 10 without patch 137111-04
• OpenSolaris based upon builds snv_96 or later


• x86 Platform
• Solaris 10 without patch 137112-04
• OpenSolaris based upon builds snv_96 or later

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

SUN
http://sunsolve.sun.com/search/document.do?assetkey=1-66-239186-1

CVE-Name

CVE-2008-3666

References

Secunia
http://secunia.com/advisories/31426/

SecurityFocus
http://www.securityfocus.com/bid/30654

FrSIRT
http://www.frsirt.com/english/advisories/2008/2337

IBM ISS
http://xforce.iss.net/xforce/xfdb/44396