Veritas Software recommends users of its Cluster Server apply newly-available patches to plug a "serious" security hole an attacker could use to launch malicious code with root privileges.
"The potential for a serious system security breach has been found to exist in Veritas Cluster Server for Solaris, HP-UX, AIX, and Linux," the Mountain View, Calif.-based company said in an advisory. "This issue does not exist on any version [of the server] for Windows."
The company said the patches address the problem for Solaris, HP-UX, AIX, and Linux versions and that if users of Cluster Server 4.0 on Solaris have already applied MP1, the issue is already resolved.
"It is highly recommended that all installations of Cluster Server be updated to include the fix for this potential security issue because root access can be achieved by unauthorized users," Veritas said.
Veritas said users should take the following steps to apply the patch:
- Find the appropriate Unix platform and version in the advisory list;
- Verify that you have the appropriate version of Cluster Server installed on which to apply the patch;
- Open and read the listed tech file for your platform; and
- Download the patch directly from that tech file.
Futher technical details are offered in the advisory.
Copenhagen, Denmark-based security firm Secunia said the vulnerability is "highly critical." Asked how much of a crossover impact the vulnerability could have, Secunia CTO Thomas Kristensen said by e-mail, "Our rating is solely based on an assessment of a single installation, not how widely used the product is. Unfortunately, Veritas hasn't published a lot of details."
Because of the potential for a security breach, Veritas said it is keeping most of those details under lock and key.
Kristensen said he's not aware of any workarounds to the problem. "I would recommend installing the patch rather than attempting to apply a workaround," he said.