-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                ESB-2003.0731 -- Sun(sm) Alert Notification
              Sun Alert ID: 23412 - Vulnerability in Solaris
                "AnswerBook2 Documentation Server" Daemon
                              20 October 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                AnswerBook2 Documentation Server Daemon (versions
                        prior to 1.4.3)
Publisher:              Sun Microsystems
Operating System:       Solaris 8
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

Original bulletin available at:

         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F23412

See also the releated issue (Sun Alert ID: 57400) at:

         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57400

- --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 23412
   SYNOPSIS: Vulnerability in Solaris "AnswerBook2 Documentation Server"
   Daemon
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 23412
     * Synopsis: Vulnerability in Solaris "AnswerBook2 Documentation"
       Server Daemon
     * Category: Security
     * Product: AnswerBook2 Documentation Server
     * BugIDs: 4353727
     * Avoidance: Upgrade, Patch
     * State: Resolved
     * Date Released: 10-Aug-2000, 16-Oct-2003
     * Date Closed: 10-Aug-2000
     * Date Modified: 10-Aug-2000, 16-Oct-2003
       
1. Impact

   An unprivileged local or remote user may be able to execute arbitrary
   commands with the privileges of the AnswerBook2 server daemon, which
   is normally uid "daemon", on an AnswerBook2 (AB2) server system.
   
   This issue is one of two vulnerabilities discussed in S21sec advisory
   s21sec-004 at: [1]http://www.s21sec.com/en/avisos/s21sec-004-en.txt
   
   The other vulnerability discussed in the S21sec advisory is described
   in Sun Alert 57400.
   
   This issue is also described in Sun Security Bulletin #00196 at:
   [2]http://sunsolve.sun.com/pub-cgi/secBulletin.pl
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC
     * AnswerBook2 Documentation Server Version 1.4.1 or earlier
     * AnswerBook2 Documentation Server Version 1.4.2 without patch
       110011-02
       
   x86 Platform
     * AnswerBook2 Documentation Server Version 1.4.1 or earlier
     * AnswerBook2 Documentation Server Version 1.4.2 without patch
       110012-02
       
   Notes:
    1. AnswerBook2 is no longer supported as of Solaris 9, and thus
       Solaris 9 is not affected.
    2. AnswerBook2 Documentation Server version 1.4.2 first shipped with
       Solaris 8.
    3. AnswerBook2 Documentation Server versions 1.4.3 and later are not
       affected by this issue.
       
   To determine the version of the currently installed AnswerBook2
   Server, run the following command:
    $ grep SUNW_PRODVERS /var/sadm/pkg/SUNWab2[rsu]/pkginfo
    /var/sadm/pkg/SUNWab2r/pkginfo:SUNW_PRODVERS=1.4.2
    /var/sadm/pkg/SUNWab2s/pkginfo:SUNW_PRODVERS=1.4.2
    /var/sadm/pkg/SUNWab2u/pkginfo:SUNW_PRODVERS=1.4.2

3. Symptoms

   There are no predictable symptoms that would show the described issue
   has been exploited to execute arbitrary commands with the privileges
   of the AnswerBook2 daemon on a system.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   Sites which have configured AnswerBook2 Documentation Servers may wish
   to disable AB2 and instead refer to Sun documentation at the Sun
   Product Documentation web site at: [3]http://docs.sun.com or view the
   documentation on the Solaris Documentation CD.
   
   To disable the AnswerBook2 Documentation Server, the following
   commands can be run as the root user:
    # /usr/lib/ab2/bin/ab2admin -o stop
    # /usr/lib/ab2/bin/ab2admin -o autostart_no


5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Upgrade to AnswerBook2 Documentation Server version 1.4.2 with
       patch 110011-02
       
   x86 Platform
     * Upgrade to AnswerBook2 Documentation Server version 1.4.2 with
       patch 110012-02
       
   Notes:
    1. Sites with AnswerBook2 Documentation Server version 1.4.1 or
       earlier need to first upgrade AnswerBook2 to version 1.4.2 before
       applying the above patches.
    2. AnswerBook2 Documentation Server version 1.4.2 is available for
       download at: [4]http://www.sun.com/software/ab2
       
Change History:

   15-Oct-2003:
     * Updated: Contributing Factors, Symptoms, Relief/Workaround, and
       Resolution sections
   
   APPLIES TO: Network Security

References

   1. http://www.s21sec.com/en/avisos/s21sec-004-en.txt
   2. http://sunsolve.sun.com/pub-cgi/secBulletin.pl
   3. http://docs.sun.com/
   4. http://www.sun.com/software/ab2

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBP5Nk0ih9+71yA2DNAQHN2gQAg+0xRfRxziY3j5DDhY3YD+23l4/9i3vI
p2spV/KwgWPYDKB9HBumc/GTN2jEfaPfD2/FFjU8YG42kJcK5k2eB8Ye5lQxTsnX
x4FCeUoJu1ZEI0DFQ189lJ0k1DrKDFzLkXw1syfxZpuTBQtUQb4+MPeq9du2aHNC
5uQvtIxdEmI=
=TxH0
-----END PGP SIGNATURE-----