Online vandals are using a two-month-old security hole in Sun's Solaris OS to break into servers on the Internet, a security expert said Tuesday. Last I heard, a majority of production J2EE apps are deployed on Sun/Solaris.
- Posted by: sharat nellutla
- Posted on: January 16 2002 09:49 EST
read more @ http://dailynews.yahoo.com/h/cn/20020116/tc/solaris_hole_opening_way_for_hackers_1.html
- Solaris hole opening way for hackers by Tiberiu Fustos on January 16 2002 14:41 EST
- Solaris hole opening way for hackers by Bruce Blackshaw on January 17 2002 05:26 EST
- Solaris hole opening way for hackers by Ferhat SAVCI on January 22 2002 02:58 EST
- Solaris hole opening way for hackers by Stu Charlton on January 23 2002 00:18 EST
It seems that the problem is located in the CDE (see http://www.cert.org/advisories/CA-2001-31.html). Ideally, people should not run CDE on application servers which require high performance and security. You would leave only the minimal set of services for the server's function and administrability. Also, the application servers are much better behind a second firewall, not in the front-line of the intruders...And even for the webserver, it only works if the service is enabled and its port accessible. I think it's far less critical to websites than the Windows vulnerabilities through IIS.
Yeah,I think Solaris is a great and stronger OS!But it is also poor!So it will become more stronger thought the action!
This is news? There are new security holes announced in Solaris and applications that run on Solaris (e.g. BIND) every week.
Sun have issued a patch, and here a hacker attacked an unpatched server. Probably 90% of people don't apply patches.
... and if it is behind a firewall with only port 80 open then you don't have to worry about this particular flaw.
Anybody getting into this kind of problem (running any operating system on an un-protected Internet-accessible network) deserves it.
If you run Solaris, check out Sun's blue-prints at http://www.sun.com/blueprints.
Look for "system hardening" and "operating system minimization" in particular. Even if you run some different flavor of Unix or even Windows, you will benefit. With Windows, you cannot apply all the information (e.g., shut down some MS services or uninstall/remove some programs and you cannot operate normally <insert your joke about Windows' normal operation here, if you must>) but its worthwhile to get the idea.
Second, look for "building secure n-tier environments". You will greatly benefit from that as a developer/architect.
One can run CDE fine on an app server, the issue is that
a) you shouldn't run the particular service (dtscpd) with the security hole.. it's not needed for normal CDE operation.
b) you should use tcpd / TCP wrappers to block untrusted hosts from all your active non-HTTP services.
c) you should probably have a firewall in front of it blocking all upper ports as an added precaution
all of this stuff is just a matter of proper administration, it would be nice if Sun would provide an out-of-box model to locking down the system in this way..