Sun Microsystems Inc has announced that a security software addition to its Cobalt RaQ 4 server appliance contains a flaw that could enable attackers to execute arbitrary code. Not only that, but the company also admits that it currently has no way to fix the problem.
The Santa Clara, California-based company said there is a flaw in the Security Hardening Package (SHP) optional addition to the RaQ 4 software, that was designed to add security features such as root privilege control, buffer overflow protection, and scan protection, logging and lockout.
The company has subsequently discovered that the SHP has a vulnerability in the overflow cgi script that does not properly filter input and could enable a hacker to execute arbitrary code with superuser privileges. Sun has issued a patch to deal with the problem, but all that does is remove the SHP, and all the security benefits that came with it.
The company has not as yet come up with a workaround that will enable users to make use of the security features of SHP without the security flaw. Meanwhile the CERT Coordination Center has issued an advisory that does describe a workaround, which involves blocking access to the Cobalt RaQ 4 administrative server at the network perimeter.