Sun Alert Notifications from Sun Weekly Report dated Sep 30, 2006

Original Release Date: October 25, 2006
Last Revised: April 11, 2007
Number: ASA-2006-235
Risk Level: Medium
Advisory Version: 3.0
Advisory Status: Final

1. Overview:

New Sun Alert Notifications from Sun Microsystems have been issued and are described below. Issues which have been resolved by Sun Microsystems have been indicated as such. Notifications without a resolution may have restrictions to additional information on the sunsolve.sun.com website.

102144 (RESOLVED)
Vulnerability With Solaris IPv6 May Allow a Remote User the Ability to Create a Denial of Service Condition
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System
Category: Security
Date Released: 28-Sep-2006
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102144-1
102510 (RESOLVED)
Security Vulnerability May Allow the syslog(3C) Service to be Disabled
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System
Category: Security
Date Released: 25-Sep-2006
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102510-1
102563 (RESOLVED)
A Remote SSL Client May be Able to Cause a Denial of Service (DoS) of a Solaris 10 System Running a Kernel SSL Service Instance
Product: Solaris 10 Operating System
Category: Security
Date Released: 26-Sep-2006
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102563-1
102568 (RESOLVED)
A Security Issue With Solaris 10 x64 Systems Using IPv6 Forwarding May Result in a Denial of Service (DoS)
Product: Solaris 10 Operating System for x86 Platforms
Category: Security
Date Released: 25-Sep-2006
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102568-1
102650 (RESOLVED)
Cross-site Scripting Vulnerabilities in the Sun Secure Global Desktop Software
Product: Sun Secure Global Desktop Software 4.2
Category: Security
Date Released: 29-Sep-2006
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102650-1

Avaya System Products using a Sun Microsystems Operating System:
Avaya system products include an Operating System with the product when it is delivered. The Avaya Call Management System (CMS) and the Avaya Interactive Response (IR) are both shipped with an operating system from Sun Microsystems. Actions to be taken on those products are described below.

Recommended Actions:
Follow the recommended actions for each notification described below. This advisory will be updated as additional information becomes available.

Sun Advisory: Affected S/W Version Risk Comments or Recommended Actions
102144 CMS - V9, V11, R12, R13/R13.1


IR - None
Medium


None
CMS V9, V11 - Install patch 116965-22 or subsequent
CMS R12, R13, R13.1 - Install patch 114344-21 or subsequent

IR does not use IPv6 by default
102510 CMS - V9, V11, R12, R13/R13.1






IR
Low







Low
The patch is a kernel patch and is only approved for loading on CMS systems through a baseload upgrade procedure. CMS V9 will not be updated to include this patch.

CMS V11- Patch available in the latest GA load.

CMS V12- Patch available in the latest GA load.

CMS - R13.1 - Patch available in the latest GA load.

IR - Avaya recommends installing the February 13 Solaris Cluster available from the Interactive Response section of support.avaya.com.
102563 All None CMS does not use the Solaris 10 platform and IR does not make use of kernel SSL Service Instances.
102568 All None Neither CMS nor IR utilize Solaris 10 on the x86/x64 architecture.
102650 All None CMS and IR do not use the Sun Secure Global Desktop Software Product.

2. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

3. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

4. Revision History:

V 1.0 - October 25, 2006 - Initial Statement issued.
V 2.0 - October 30, 2006 - Updated the Recommended Actions for CMS R13.1 for Sun Alert ID 102510.
V 3.0 - April 11, 2007 - Updated Recommended Actions for CMS and IR. Changed Advisory Status to Final.

Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.

© 2006 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.