Document ID: 271040
http://support.veritas.com/docs/271040
E-Mail this document to a colleague
http://support.veritas.com/docs/271040
E-Mail this document to a colleague
A security flaw which allows for potential unauthorized root access in VERITAS Cluster Server (tm) for all UNIX platforms has been discovered
Details:
The potential for a serious system security breach has been
found to exist in VERITAS Cluster Server for Solaris, HP-UX, AIX, and Linux.
This issue does not exist on any version of VERITAS Cluster Server for Windows.
The potential problem has been addressed for Solaris, HP-UX, AIX, and Linux
versions of Cluster Server in the patches listed below. If you have
VERITAS Cluster Server 4.0 on Solaris and have already applied MP1, then this
issue is already resolved in your environment. It is highly recommended that all
installations of Cluster Server be updated to include the fix for this potential
security issue because root access can be achieved by unauthorized
users.
To obtain the patch needed for your installation of Cluster Server, follow these steps:
1. Find the appropriate UNIX platform and version in the list below
2. Verify that you have the appropriate version of Cluster Server installed on which to apply the patch (check the table below)
3. Open and read the listed TechFile for your platform (the TechFile numbers in the list below are links to the document)
4. Download the patch directly from that TechFile
Note: If using VERITAS CommandCentral (tm) Availability, you must apply the Command Central Availability patch from TechFile http://support.veritas.com/docs/270142 for Command Central Availability to work with Cluster Server after having applied any of the patches below.
To obtain the patch needed for your installation of Cluster Server, follow these steps:
1. Find the appropriate UNIX platform and version in the list below
2. Verify that you have the appropriate version of Cluster Server installed on which to apply the patch (check the table below)
3. Open and read the listed TechFile for your platform (the TechFile numbers in the list below are links to the document)
4. Download the patch directly from that TechFile
Note: If using VERITAS CommandCentral (tm) Availability, you must apply the Command Central Availability patch from TechFile http://support.veritas.com/docs/270142 for Command Central Availability to work with Cluster Server after having applied any of the patches below.
| Platform | CD release version | VCS version | TechFile | Checking the VCS version |
|---|---|---|---|---|
| Solaris | 3.5 MP3 | 3.5p3 | 270071 | pkginfo VRTSvcs |
| Solaris | 4.0 | 4.0 | 269487 | pkginfo VRTSvcs |
| HP-UX | 3.5 Update 2 | 3.5p1 | 270074 | swlist VRTSvcs |
| AIX | 3.5 MP1 | 3.5p1 | 270090 | lslpp -L VRTSvcs.rte |
| RedHat Advanced Server 2.1 i686 | 2.2 MP2 | 2.2p2 | 270095 | rpm -qa VRTSvcs |
| RedHat Enterprise Linux 3.0 i686 | 2.2 MP2 | 2.2p2 | 270096 | rpm -qa VRTSvcs |
| RedHat Enterprise Linux 3.0 update 2 IA64 | 2.2 MP2 | 2.2p2 | 270097 | rpm -qa VRTSvcs |
| SuSE SLES 8 SP3 | 2.2 MP2 | 2.2p2 | 270092 | rpm -qa VRTSvcs |
| ESX | 2.2 MP2 | 2.2p2 | 271277 | rpm -qa VRTSvcs |
Note: Because
this is a security issue, VERITAS will not publicly disclose details of this
issue. If you require assistance in applying the patch or insuring that your
system is upgraded to the necessary levels, or assistance in determining which
systems are potentially vulnerable to this issue, please contact VERITAS
Technical Support.
Supplemental Material:
| System: Ref.# | Description |
| iTools: 147547 | Potential security flaw found |
Products Applied:
Cluster Server for UNIX 1.0.1 (Solaris), 1.0.2 (Solaris), 1.1 (Solaris), 1.1.1 (Solaris), 1.1.2 (Solaris), 1.3.0 (Solaris), 1.3.0 (Solaris) PRE-GA, 1.3.0P1, 1.3.0P2, 1.3.0P3, 1.3.0P4, 1.3.1 (HPUX), 1.3.1P3, 2.0 (AIX), 2.0 (Linux), 2.0 (Solaris), 2.0 (Solaris) BETA, 2.0 (Solaris) GA, 2.0P1, 2.0P2, 2.0P3, 2.0P4, 2.1, 2.1 (Linux), 2.1 P1 (Linux), 2.2, 2.2 (Linux), 2.2 MP1, 2.2 MP1P1 (Linux), 2.2 MP2, 3.5 (AIX), 3.5 (HPUX), 3.5 (Solaris), 3.5 (Solaris) BETA, 3.5 MP1, 3.5 MP1 (Solaris), 3.5 MP1J, 3.5 MP2, 3.5 MP2 (Solaris), 3.5 MP3 (Solaris), 3.5 P1, 3.5 Update 1 (HPUX), 3.5 Update 2 (HPUX), 3.5.1 (AIX), 4.0 (AIX), 4.0 (AIX) Beta, 4.0 (Linux), 4.0 (Linux) BETA, 4.0 (Solaris), 4.0 (Solaris) BETA, 4.0 MP1 (Solaris) (Fixed)
CommandCentral Availability 4.0, 4.0 BETA
Cluster Server for UNIX 1.0.1 (Solaris), 1.0.2 (Solaris), 1.1 (Solaris), 1.1.1 (Solaris), 1.1.2 (Solaris), 1.3.0 (Solaris), 1.3.0 (Solaris) PRE-GA, 1.3.0P1, 1.3.0P2, 1.3.0P3, 1.3.0P4, 1.3.1 (HPUX), 1.3.1P3, 2.0 (AIX), 2.0 (Linux), 2.0 (Solaris), 2.0 (Solaris) BETA, 2.0 (Solaris) GA, 2.0P1, 2.0P2, 2.0P3, 2.0P4, 2.1, 2.1 (Linux), 2.1 P1 (Linux), 2.2, 2.2 (Linux), 2.2 MP1, 2.2 MP1P1 (Linux), 2.2 MP2, 3.5 (AIX), 3.5 (HPUX), 3.5 (Solaris), 3.5 (Solaris) BETA, 3.5 MP1, 3.5 MP1 (Solaris), 3.5 MP1J, 3.5 MP2, 3.5 MP2 (Solaris), 3.5 MP3 (Solaris), 3.5 P1, 3.5 Update 1 (HPUX), 3.5 Update 2 (HPUX), 3.5.1 (AIX), 4.0 (AIX), 4.0 (AIX) Beta, 4.0 (Linux), 4.0 (Linux) BETA, 4.0 (Solaris), 4.0 (Solaris) BETA, 4.0 MP1 (Solaris) (Fixed)
CommandCentral Availability 4.0, 4.0 BETA
Subjects:
AIX
Application: Informational
Cluster Server for UNIX
Application: Alert, Informational, Patches
Publishing Status: Techalert
CommandCentral Availability
Application: Patches
Publishing Status: Techalert
HP-UX
Application: Informational, Patches
Linux
Applications: Information, Patches
Solaris
Application: Informational, Patches
AIX
Application: Informational
Cluster Server for UNIX
Application: Alert, Informational, Patches
Publishing Status: Techalert
CommandCentral Availability
Application: Patches
Publishing Status: Techalert
HP-UX
Application: Informational, Patches
Linux
Applications: Information, Patches
Solaris
Application: Informational, Patches
Languages:
English (US)
English (US)
Operating Systems:
AIX
AIX
4.3.3, 4.3.4, 5.1, 5.2
HP-UX
11.0, 11.11
Solaris
2.6, 7.0, 8.0, 9.0
Linux
RedHat Advanced Server 2.1, RedHat Enterprise Linux 3.0 (AS, ES, WS), RedHat Enterprise Linux 3.0 U2 (AS, ES, WS), SLES 8 SP2/SP2a
VMWare ESX
2.1
VERITAS Software
350 Ellis Street
Mountain View, California 94043
World Wide Web: http://www.veritas.com,
Tech Support Web: http://support.veritas.com,
E-Mail Support: http://seer.support.veritas.com/email_forms,
FTP: ftp://ftp.support.veritas.com or http://ftp.support.veritas.com
THE INFORMATION PROVIDED IN THE VERITAS SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. VERITAS SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL VERITAS SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF VERITAS SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.