A security vulnerability in the Sun N1 Grid Engine daemons may allow local unprivileged users to kill either the qmaster or execd process and shutdown the grid service, creating a Denial of Service (DoS) condition. In certain cases, buffer overflows may be exploited by unprivileged local users to gain elevated privileges.

A remote privileged user may create a TCP (tcp(7p)) "ACK storm" or "ACK flood" which can cause a networked system to run out of resources, creating a Denial of Service (DoS) condition.

A TCP "ACK storm" can occur when a networked system sends a TCP packet which contains an incorrect sequence number to another networked system. The remote system will reply with a TCP ACK packet containing the expected sequence number and the originating system will send another packet with the incorrect sequence number. This exchange of ACK packets will continue indefinitely back and forth and thus create an "ACK storm".

This is the expected behavior of the Internet Transmission Control Protocol (TCP) protocol. The TCP protocol specification is described in RFC 793 at:

• http://www.ietf.org/rfc/rfc0793.txt

The patches listed in Section Two below limit the number of replies a Solaris system will make to a TCP packet with an incorrect sequence number and thus protect against an "ACK storm".

A local unprivileged user may be able to bypass the system's routing table and direct packets on a per-socket basis to or through an on-link router other than the one defined by the system. This could allow a user to send data to hosts and services that may not be ordinarily reachable and/or bypass a firewall.

Due to a vulnerability in the Solaris sysinfo(2) system call, a local unprivileged user may be able to read portions of kernel memory, which may contain sensitive data.

Sun acknowledges with thanks iDefense/VeriSign for bringing this issue to our attention.

This issue is also described at http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410

A local or remote unprivileged user may be able to cause systems which have installed the Sun Java Enterprise System (JES) along with the patches listed below in Section 2 to become unresponsive or hang. This is a Denial of Service (DoS) due to a memory leak in the Network Security Services (NSS) software which is used by many of the Sun Java Enterprise System components such as the Sun Java System Application Server, the Sun Java System Web Server, and the Sun Java System Portal Server.

NSS is an open source project which adds support for SSL, S/MIME, and other Internet security standards to the Sun Java Enterprise System. Further information about NSS can be found at http://www.mozilla.org/projects/security/pki/nss/

This issue is also described in CVE-2006-3127 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3127

A local unprivileged user may be able to hang an x86 system that has loaded the kernel debugger kmdb(1). The ability to hang a system is a type of Denial of Service (DoS).

Security vulnerabilities in the Solaris event port API may allow a local unprivileged user the ability to run an application which uses the API in such a way as to cause the system to panic, leading to a Denial of Service (DoS) condition.

The Apache server is an example of an application that makes use of the event port API. On a system running Apache2 (Apache/2.2.0) it may be possible for a remote unprivileged user to cause that system to panic, resulting in a Denial of Service (DoS) condition.

A security vulnerability in Solaris 10 may allow a local unprivileged user the ability to panic the system using the special "/net" mount point (or a similarly configured mount point which uses the "-hosts" special map), creating a Denial of Service (DoS) condition.

A security vulnerability in StarOffice/StarSuite may make it possible to inject basic code into documents which is executed upon loading of the document. The user will not be asked or notified and the macro will have full access to system resources with current user's privileges. As a result, the macro may delete/replace system files, read/send private data and/or cause additional security issues.

Note: Disabling document macros will not prevent this issue.

This issue is also described in CVE CAN-2006-2198 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2198

Solaris 10 kernel patches 118822-29 or later for SPARC and 118844-29 or later for x86, may cause a system panic, kernel memory corruption, application failure, and/or data corruption.

This issue may allow an unprivileged local user the ability to panic the system or kill an application, creating a Denial of Service (DoS) condition. In addition, if the system is configured for anonymous ftp, this issue may allow an unprivileged remote user to panic the system.

A Cross Site Scripting (XSS) vulnerability in various releases of the Sun Java System Web Server and Sun Java System Application Server may allow an unprivileged local or remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.

Sun acknowledges with thanks, CERT and JPCERT/CC for bringing this issue to our attention.

This issue is described in JPCERT/CC Vulnerability JVN#03D5EAA8 at http://jvn.jp/jp/JVN%2303D5EAA8/index.html

Sun also acknowledges with thanks, Little eArth Corporation Co., Ltd., for discovering and reporting this issue.

It may be possible for a local or remote user to execute Java Applets which destroy/replace system files, read or send private data, and/or cause additional security issues by inducing a local user to load a specially crafted StarOffice/StarSuite document.

This issue is also described in the following document:

CVE CAN-2006-2199 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-2199

It may be possible for a local or remote unprivileged user to crash StarOffice/StarSuite or to execute arbitrary commands with the privileges of a user running the StarOffice/StarSuite application by inducing that user to load a specially crafted StarOffice/StarSuite document.

This issue is also described in the following document:

CVE CAN-2006-3117 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3117

A local or remote unprivileged user may be able to prevent the ypserv(1M) NIS server process from answering NIS name service requests. A Denial of Service (DoS) may occur as clients currently bound to the NIS server may experience hangs or slow performance. Users may no longer be able to log in on affected NIS clients.

A local or remote unprivileged user may be able to crash an application which dynamically links to the X Inter Client Exchange library (libICE) due to a security vulnerability in libICE. The ability to crash an application is a type of Denial of Service (DoS). A number of applications which comprise the GNOME desktop environment dynamically link with libICE.