A Security Vulnerability in Sun Virtual Desktop Infrastructure (VDI)
Software 3.0 may Lead to Unauthorized Access to the VirtualBox Web Service
Category: Security
Release Phase: Resolved
Bug Id: 6880209
Product: Sun Virtual Desktop Infrastructure (VDI) Software 3.0
Date of Resolved Release: 03-Nov-2009
A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0 ...
see below
1. Impact
A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0
authentication mechanism may allow remote unprivileged users to gain
unauthorized access to the VirtualBox web service.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
Sun VDI Software 3.0 (for Solaris 10) without patch 141481-03 and using
VirtualBox 2.0.8 or 2.0.10
x86 Platform
Sun VDI Software 3.0 (for Solaris 10) without patch 141482-03 and using
VirtualBox 2.0.8 or 2.0.10
Note 1: Sun VDI 2.0 does not provide integration with VirtualBox and
therefore is not impacted by this issue.
To determine the version of Sun VDI Software on a system, the following
command can be run:
$ pkgparam SUNWvda-service VERSION
3.0_71,REV=2009.03.11.11.27
Note 2: This issue is only present in Sun VDI 3.0 configurations using
VirtualBox desktop providers.
To determine the type of desktop providers configured for Sun VDI 3.0,
the following command can be run:
# /opt/SUNWvda/sbin/vda provider-list | grep -i VirtualBox
<ProviderName> Sun VirtualBox 5 0
1% (155 MHz) 13% (2.2 GB) 0% (16.1 GB)
Note 3: This issue is only present for VirtualBox version 2.0.8 and
2.0.10 for Sun VDI.
To determine the version of VirtualBox on a system, the following
command can be run:
$ pkgparam SUNWvbox VERSION
2.0.10,REV=r50334.2009.07.21.16.12
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
Access from hosts/IPs other than Sun VDI 3.0 core servers in the Apache2
access log
(/var/apache2/logs/access_log) may indicate an unauthorized user.
4. Workaround
To work around the described issue, firewall rules may be configured on
the VirtualBox hosts to allow connections only from the VDI core
servers. See the firewall product documentation for more information
on how to configure firewall rules.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
Sun VDI Software 3.0 (for Solaris 10) with patch 141481-03 or later and
with VirtualBox 2.0.12 or later
x86 Platform
Sun VDI Software 3.0 (for Solaris 10) with patch 141482-03 or later and
with VirtualBox 2.0.12 or later.
Note: VirtualBox 2.0.12 is required to address the issue described, and
may be downloaded from the following URL:
http://www.sun.com/software/vdi/get.jsp
Click on the "Download" button in the "Download Sun VDI Software 3" section.
VirtualBox 2.0.12 should be installed after applying the Sun VDI 3.0
patch (141481-03 or 141482-03).
For more information on Security Sun Alerts, see Technical Instruction
ID 213557 http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
document link at sun.com:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-268328-1
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users
