Sun Cluster Vulnerable to OpenSSL Flaw

Sun Microsystems on Wednesday warned that systems running Sun Cluster 3.x with SunPlex Manager configured were at risk of takeover because of known flaws in the OpenSSL protocol.

In a security advisory, Sun recommended that the SunPlex Manager be disabled until a comprehensive patch is ready, warning that exploitation of the vulnerability could lead to arbitrary code execution and denial-of-service scenarios.

Independent research firm Secunia is rating the vulnerability as “moderately critical.”

The confirmation of the system access and DoS vulnerabilities comes more than three months after the OpenSSL flaw was made public. Last October, the OpenSSL Project released new versions of its implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to plug multiple vulnerabilities.

All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay were updated. The OpenSSL project said any application that makes use of OpenSSL’s ASN1 library to parse untrusted data was also susceptible.

The OpenSSL holes carries a “highly critical” rating.