Document Audience: PUBLIC
Document ID: 265488
Title: A Security Vulnerability in Sun Virtual Desktop Infrastructure
(VDI) Software 3.0 may Lead to Inadvertent use of an Insecure LDAP
Connection
Copyright Notice: Copyright © 2009 Sun Microsystems, Inc. All Rights
Reserved
Update Date: Fri Aug 14 00:00:00 MDT 2009
Solution Type: Sun Alert
Solution 265488: A Security Vulnerability in Sun Virtual Desktop
Infrastructure (VDI) Software 3.0 may Lead to Inadvertent use of an
Insecure LDAP Connection
Bug ID: 6856923
Product: Sun Virtual Desktop Infrastructure
Date of Resolved Release: 14-Aug-2009
SA Document Body
A security vulnerability in Sun Virtual Desktop Infrastructure (VDI)
Software 3.0 may lead to inadvertent use of an insecure LDAP connection:
1. Impact
A security vulnerability in Sun Virtual Desktop Infrastructure (VDI)
Software 3.0 may allow a remote privileged user to be able to view
client LDAP requests for VDI configuration data.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
Sun VDI Software 3.0 (for Solaris 10) without patch 141481-02
x86 Platform
Sun VDI Software 3.0 (for Solaris 10) without patch 141482-02
Note 1: Sun VDI 2.0 does not provide integration with LDAP directories
and therefore is not impacted by this issue.
To determine the version of Sun Virtual Desktop Infrastructure Software
on a system, the following command can be run:
$ /usr/bin/pkginfo -l SUNWvda-service | grep -i version
Note 2: Only systems which have been setup to use a secure LDAP
connection are vulnerable to this issue. To determine if a system has
been set up in this way, execute the following command:
# /opt/SUNWvda/sbin/vda directory-show
Authentication: secure
...
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
Unless the LDAP User Directory has an insecure configuration, the Sun
VDI 3.0 service will not function.
4. Workaround
To work around this issue, anonymous binding should be disabled (using
ACLs or other settings, depending on the type of LDAP directory used) on
the LDAP directory to prevent the silent fallback to unencrypted connection.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
Sun VDI Software 3.0 (for Solaris 10) with patch 141481-02 or later
x86 Platform
Sun VDI Software 3.0 (for Solaris 10) with patch 141482-02 or later
For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
document link at sun.com:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-265488-1
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
