CERT-In Advisory
CIAD-2015-0062
Multiple Vulnerabilities in Solaris
Original Issue Date: November 05, 2015
Severity Rating: High
Systems Affected
Overview
Multiple Vulnerabilities have been reported in Oracle Solaris which may be exploited by a remote user without authentication. Remote user can affect the confidentiality, integrity and availability of data by executing arbitrary code and can also cause denial of service attack.
Description
1. Oracle Solaris Arbitrary Code Execution Vulnerability
(
CVE-2015-4801
CVE-2015-4817
CVE-2015-4820
CVE-2015-4831
CVE-2015-4837
CVE-2015-4869
CVE-2015-4907
)
This Vulnerability exists in various Oracle Solaris components such as Solaris Kernel Zones, Kernel Zones virtualized NIC driver, Utility/Security and Kernel.
Successful exploitation of this vulnerability can cause unauthorized Operating System takeover including arbitrary code execution. A user can exploit this vulnerability to escalate its privileges.
2. Oracle Solaris Denial-of-Service Vulnerability
(
CVE-1999-0377
CVE-2015-2642
CVE-2015-4822
CVE-2015-4834
CVE-2015-4891
)
This Vulnerability exists in various Oracle Solaris components such as INETD, Gzip, Solaris Kernel Zones, Utility/Zones and NSCD.
A local user may exploit flaws in the above mentioned components to cause a partial or complete Denial-of-Service attack on the target system.
Solution
Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Vendor Information
Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
References
Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Security Tracker
http://securitytracker.com/id/1033881
CVE Name
CVE-2015-4869
CVE-2015-4891
CVE-2015-4907
CVE-1999-0377
CVE-2015-2642
CVE-2015-4801
CVE-2015-4817
CVE-2015-4820
CVE-2015-4822
CVE-2015-4831
CVE-2015-4834
CVE-2015-4837
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|