Sun Integrated Lights-Out Manager Bugs Let Remote Authenticated Users Partially Access Data, Modify Data, and Deny Service
|
SecurityTracker Alert ID: 1031594 |
SecurityTracker URL: http://securitytracker.com/id/1031594
|
CVE Reference:
CVE-2013-6450, CVE-2014-0224, CVE-2014-6584, CVE-2015-0424
(Links to External Site)
|
Date: Jan 21 2015
|
Impact:
Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 3.2.4
|
Description:
Several vulnerabilities were reported in Sun Integrated Lights-Out Manager. A remote authenticated user can cause partial denial of service conditions. A remote authenticated user can partially access and modify data.
A remote authenticated user can exploit a flaw in the Integrated Lights Out Manager (ILOM) IPMI component to partially access data, partially modify data, and deny service [CVE-2015-0424].
A remote authenticated user can exploit a flaw in the ILOM Backup Restore component to partially access data [CVE-2014-6584].
A remote authenticated user can exploit a flaw in the ILOM OpenSSL component to partially access and partially modify data [CVE-2014-0224].
A remote authenticated user can exploit a flaw in the ILOM OpenSSL component to cause partial denial of service conditions [CVE-2013-6450].
The following researchers reported these and other Oracle vulnerabilities:
Abdullah Erdem; Adam Willard of Foreground Security; Amir Sohail; Arjun V; Avik Sarkar; Ayoub Nait Lamine; Ben Khlifa Fahmi; Cameron Crowley; Christian Galeone;
Gaurav Mishra; Gopal Bisht; Gurjant Singh Sadhra; Karthik E C; Koutrouss Naddara; M.Asim Shahzad; Mohammed Osman; Monendra Sahu; Mousab Elhag; Muhammad Sarmad Shafiq; Rakesh Singh of Zero Day Guys; Sandeep Venkatesan; Sky_BlaCk; Sreehari; Srikanth Y; and Yann CAM.
|
Impact:
A remote authenticated user can cause partial denial of service conditions.
A remote authenticated user can partially access and modify data.
|
Solution:
The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - January 2015.
The vendor's advisory is available at:
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
|
Vendor URL: www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html (Links to External Site)
|
Cause:
Not specified
|
Underlying OS: UNIX (Solaris - SunOS)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|