Solaris hole opening way for hackers


News: Solaris hole opening way for hackers

  1. Solaris hole opening way for hackers (6 messages)

    Online vandals are using a two-month-old security hole in Sun's Solaris OS to break into servers on the Internet, a security expert said Tuesday. Last I heard, a majority of production J2EE apps are deployed on Sun/Solaris.

    read more @
  2. It seems that the problem is located in the CDE (see Ideally, people should not run CDE on application servers which require high performance and security. You would leave only the minimal set of services for the server's function and administrability. Also, the application servers are much better behind a second firewall, not in the front-line of the intruders...And even for the webserver, it only works if the service is enabled and its port accessible. I think it's far less critical to websites than the Windows vulnerabilities through IIS.
  3. Yeah,I think Solaris is a great and stronger OS!But it is also poor!So it will become more stronger thought the action!
  4. This is news? There are new security holes announced in Solaris and applications that run on Solaris (e.g. BIND) every week.

    Sun have issued a patch, and here a hacker attacked an unpatched server. Probably 90% of people don't apply patches.
  5. ... and if it is behind a firewall with only port 80 open then you don't have to worry about this particular flaw.


  6. Anybody getting into this kind of problem (running any operating system on an un-protected Internet-accessible network) deserves it.

    If you run Solaris, check out Sun's blue-prints at

    Look for "system hardening" and "operating system minimization" in particular. Even if you run some different flavor of Unix or even Windows, you will benefit. With Windows, you cannot apply all the information (e.g., shut down some MS services or uninstall/remove some programs and you cannot operate normally <insert your joke about Windows' normal operation here, if you must>) but its worthwhile to get the idea.

    Second, look for "building secure n-tier environments". You will greatly benefit from that as a developer/architect.

  7. One can run CDE fine on an app server, the issue is that

    a) you shouldn't run the particular service (dtscpd) with the security hole.. it's not needed for normal CDE operation.
    b) you should use tcpd / TCP wrappers to block untrusted hosts from all your active non-HTTP services.
    c) you should probably have a firewall in front of it blocking all upper ports as an added precaution

    all of this stuff is just a matter of proper administration, it would be nice if Sun would provide an out-of-box model to locking down the system in this way..