Sun combats security holes in cancelled Cobalt line

More vulnerabilities have been discovered in Sun Microsystems' Cobalt line of appliances including some that can allow remote attackers to run arbitrary code on systems.

Sun Microsystems continues to battle operating system vulnerabilities in its doomed line of Cobalt appliance servers. Administrators should upgrade to prevent remote exploits that could include cracking private keys, exposing confidential data, spoofing identities, escalating privileges, executing arbitrary code and denial of service.

Sun is still providing software updates, even though it's no longer selling the Cobalt line. In December, Sun moved its Cobalt appliance server brand to the "end-of-life" section.

Perhaps the most serious vulnerability is a heap-based buffer overflow in rsync. Remote attackers can use this to gain access to a system or execute arbitrary code. Sun has fixes for RaQ 550, Qube 3 and RaQ 4.

A defect in gnupg incorrectly creates El Gamal sign and encrypt keys using the same key component. This could allow an attacker to get the private key from a signature, which could be used to spoof identities and decrypt confidential data. Fixes are available for Qube 3, RaQ 550 and RaQ XTR.

An integer overflow in the ls program in the fileutils or coreutils packages can render applications that use ls, including wu-ftpd, vulnerable to remote exploitation. Attackers could cause a denial of service on the server. There are fixes for RaQ XTR, RaQ 550, Qube 3 and RaQ 4.

Finally, an update is available for an unspecified vulnerability in IPtables on RaQ 550.

Many ISPs use Cobalt application servers. Only a month ago, Sun released fixes for problems with BIND, slocate, tcpdump, apache, ProFTPD and PostgreSQL. Sun plans to continue providing a knowledgebase and support forum for Cobalt RaQ 550 until 2007.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close