Patch-ID# 109736-13


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: encryption efs security international ha ftp fragmentation proxy
Synopsis: SunScreen 3.1 LITE (sparc) miscellaneous fixes
Date: Mar/09/2004


******************************************************
The items made available through this website
are subject to United States export laws and
may be subject to export and import laws
of other countries. You agree to strictly comply
with all such laws and obtain licenses to
export, re-export, or import as may be required.
Unless expressly authorized by the United States
Government to do so you will not, directly or
indirectly, export or re-export the items made
available through this website, nor direct the
items therefrom, to any embargoed or restricted
country identified in the United States export
laws, including but not limited to the Export
Administration Regulations (15 C.F.R. Parts
730-774).
******************************************************

Install Requirements: See Special Install Instructions

Solaris Release: 8

SunOS Release: 5.8

Unbundled Product: SunScreen EFS

Unbundled Release: 3.1 LITE

Xref: This patch is available for x86 as Patch 109737.

Topic:

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #
404842914938353
426679414997776
432805515021228
433306915023488
434789415029830
434789915029837
434790515029840
435507815032495
436514415036251
436622915036605
436875715037501
437075715038174
437108615038266
437165515038480
437183115038566
437396315039337
437396415039338
437396615039339
437397215039342
437397615039343
437782915040701
438913215044634
439553815046602
440010715048102
441298115052229
441801015053905
441857815054074
443138115058409
443227615058745
443248015058826
443373515059278
445820515064326
446780515067577
446894415067946
447406515069663
447571815070250
447597615070361
448386115073036
448596415073761
448920015074816
449146915075547
449310315076022
449405215076332
453087315088315
463225415095556
471389615114657
472927815118555
476097615127803
476249215128244
476437015128874
476437315128877
476724415129800
477020515130776
478647415135758
479555615138638
480106215140694
483792915152500
484545615154782
486157215159392
489061415167747
491330415174480
492694115178220
495998915187103


Changes incorporated in this version: 4926941 4913304 4959989

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by:

Files included with this patch:

/etc/init.d/plumbsunscreen
/etc/rcS.d/S20plumbsunscreen
/kernel/drv/screen
/kernel/drv/sparcv9/screen
/kernel/strmod/efs
/kernel/strmod/sparcv9/efs
/opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump
/opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Client.class
/opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/OutputReader.class
/opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/RemoteCommand.class
/opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Server.class
/opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/logbrowser/LogBrowser.class
/opt/SUNWicg/SunScreen/admin/htdocs/plugin/welcome.html
/opt/SUNWicg/SunScreen/admin/htdocs/welcome.html
/opt/SUNWicg/SunScreen/bin/sslogmgmt
/opt/SUNWicg/SunScreen/lib/authuser
/opt/SUNWicg/SunScreen/lib/datacompiler
/opt/SUNWicg/SunScreen/lib/efs2to3
/opt/SUNWicg/SunScreen/lib/getlog
/opt/SUNWicg/SunScreen/lib/jar_hash
/opt/SUNWicg/SunScreen/lib/jar_sig
/opt/SUNWicg/SunScreen/lib/logdump
/opt/SUNWicg/SunScreen/lib/logmacro
/opt/SUNWicg/SunScreen/lib/logmsg
/opt/SUNWicg/SunScreen/lib/natcompiler
/opt/SUNWicg/SunScreen/lib/proxyuser
/opt/SUNWicg/SunScreen/lib/screeninfo
/opt/SUNWicg/SunScreen/lib/ss_access_convert
/opt/SUNWicg/SunScreen/lib/ss_compiler
/opt/SUNWicg/SunScreen/lib/ss_disable_send
/opt/SUNWicg/SunScreen/lib/ss_logd
/opt/SUNWicg/SunScreen/lib/ss_rule_convert
/opt/SUNWicg/SunScreen/lib/ss_upgrade
/opt/SUNWicg/SunScreen/lib/statetables
/opt/SUNWicg/SunScreen/lib/statetables64
/opt/SUNWicg/SunScreen/lib/strs
/opt/SUNWicg/SunScreen/lib/unplumb_solaris8
/opt/SUNWicg/SunScreen/lib/user_authenticate
/opt/SUNWicg/SunScreen/lib/vars
/opt/SUNWicg/SunScreen/ssadm/edit
/opt/SUNWicg/SunScreen/ssadm/lock
/opt/SUNWicg/SunScreen/ssadm/log
/opt/SUNWicg/SunScreen/ssadm/logdump
/opt/SUNWicg/SunScreen/ssadm/logmacro
/opt/SUNWicg/SunScreen/ssadm/logstats
/opt/SUNWicg/SunScreen/ssadm/traffic_stats
/opt/SUNWicg/SunScreen/support/nattables
/opt/SUNWicg/SunScreen/support/nattables64
/opt/SUNWicg/SunScreen/support/packages
/opt/SUNWicg/SunScreen/support/statetable_summary
/opt/SUNWicg/SunScreen/support/versions
/opt/SUNWicg/sunscreen/ssadm/debug_level
/sbin/ss_plumb_interface
/usr/kernel/drv/screen_skip
/usr/kernel/drv/sparcv9/screen_skip
/usr/kernel/misc/screen_dns
/usr/kernel/misc/screen_fail
/usr/kernel/misc/screen_ftp
/usr/kernel/misc/screen_ip
/usr/kernel/misc/screen_nfsro
/usr/kernel/misc/screen_normal
/usr/kernel/misc/screen_ping
/usr/kernel/misc/screen_pmap
/usr/kernel/misc/screen_raudio
/usr/kernel/misc/screen_rsh
/usr/kernel/misc/screen_sqlnet
/usr/kernel/misc/screen_stateless
/usr/kernel/misc/screen_tcp
/usr/kernel/misc/screen_udp
/usr/kernel/misc/sparcv9/screen_dns
/usr/kernel/misc/sparcv9/screen_fail
/usr/kernel/misc/sparcv9/screen_ftp
/usr/kernel/misc/sparcv9/screen_ip
/usr/kernel/misc/sparcv9/screen_nfsro
/usr/kernel/misc/sparcv9/screen_normal
/usr/kernel/misc/sparcv9/screen_ping
/usr/kernel/misc/sparcv9/screen_pmap
/usr/kernel/misc/sparcv9/screen_raudio
/usr/kernel/misc/sparcv9/screen_rsh
/usr/kernel/misc/sparcv9/screen_sqlnet
/usr/kernel/misc/sparcv9/screen_stateless
/usr/kernel/misc/sparcv9/screen_tcp
/usr/kernel/misc/sparcv9/screen_udp
/opt/SUNWicg/SunScreen/lib/logmgmt-Xample

Problem Description:

4926941 sunscreen 3.2 pmap state engine dropping NULL procedure
4913304 Retransmission FIN packet is dropped in CLOSING state
4959989 Fin Ack does not change state to ESTABLISHED
 
(from 109736-12)
 
4837929 Unable to use ifconfig to remove SunScreen module from network interface.
4795556 ssadm logdump command hangs after some minutes
4389132 wrong version number of new created policy shown.
4433735 security home page URL at welcome screen should pop-up new browser window.
4861572 Sunscreen 3.1 network connectivity slows to unusable level
4890614 Patch 109734-09 breaks nattables command.
4801062 Customer want's less descriptive log, to not resolve hostname. only IP addresses
 
There is a new -r option to the logdump commnd, this forces logdump not
to use the name service to resolve IP addresses to names.
 
Example:
 
ssadm log get | ssadm logdump -i  -r
 
statetable_summary
------------------
 
This script is provided to aid diagnosis of performance problems caused by
large state tables. The performs analysis on a file containing the output
from one of:
 
ssadm lib/statetables
ssadm lib/nattables
ssadm lib/screeninfo
 
Usage:
 
/usr/lib/sunscreen/support/statetable_summary file_to_analyse
 
The output is written to stdout and files in /var/tmp
 
This script can be run on a system with SunScreen installed in which case
it will run the statetables & nattables commands directly if an input file
is not specified.
 
If an input file is provided then the script can be run on any Solaris
system, it does not have to be run on the screen. In many cases this
is desirable because the script can take a very long time to run and
generate significant load on the system if the statetable it is analysing
is very large.
 
As with all programs in /usr/lib/sunscreen/support this is
provided for support purposes only and not a supported part of the product.
 
(from 109736-11)
 
4845456 FIN packet is unexpectedly dropped in CLOSING state
 
(from 109736-10)
 
4786474 Random errors from unplumb_solaris8
 
(from 109736-09)
 
4371086 NFS state engine assumes 20 byte tcp header size
4467805 UDP hash lookup needs improvement
4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback
4483861 ttls for NAT entries need to be more closely related to stateentries
4491469 reply packets don't match broadcast UDP sessions, get dropped
4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake.
4729278 logdump does no bounds checking on transient ports array
4760976 Fin Attack!! port continues being open
4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer.
4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING
4764373 SunScreen does not check sequence numbers of FIN packets
4767244 SunScreen allows FIN packet in CONNECTING state.
4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly
 
(from 109736-08)
 
4371655 PASSIVE screen leaks skip encrypted packets
4458205 traffic_stats output has error
4468944 SunScreen drops TCP ECN packets
4474065 SunScreen cluster can hang (allocb fail)
4530873 ssadm traffic_stats reports negative values
4632254 sqlnet engine hangs after fetching few records
 
(from 109736-07)
 
4418010 sslogmgmt always returns error: argument expected
4475718 large number of address objects in policy can cause compile failure
4493103 TCP state fails on duplicate SYN, connection drops after 120 seconds
4494052 UDP 162 is not being blocked
 
(from 109736-06)
 
4432480 Sunscreen NAT has performance problems in certain topologies
4485964 PASV ftp and DYNAMIC NAT broken
4489200 panic in statetable cleanup routines
 
(from 109736-05)
 
4432276 Performance degradation due to inefficient TCP Hash function
 
(from 109736-04)
 
4418578 IP addresses get garbled with first activation of policy on interface
4412981 ftp state engine does not recognize RST
4431381 ftp state engine confused in certain instances when MicroSoft server is used
 
(from 109736-03)
 
4355078 performance in stealth mode slower than SPF-200
4400107 sunscreen consuming large amounts of kernel memory
4395538 ss_logd core dumps causing the system to hang
4377829 HA screen will become passive if an interface cable is unplugged.
4373963 screeninfo output gets truncated.
4266794 ssadm screeninfo does not return ip_forwarding status
4373976 misc enhancements to screeninfo.
4048429 Configurations names with spaces don't work
4373966 screeninfo does not get SCCS versions of all files.
4373972 screeninfo should perform consistancy checks on SunScreen packages.
4373964 Patch information retrieved by screeninfo can be incorrect.
4365144 ftp state engine can't handle tcp option tstamp on PORT packets
 
(from 109736-02)
 
4366229 When ecryption rule added, machine gets stack overflow panic
4368757 "*" service should be based on ipmobile not iptunnel
4370757 PASV FTP vulnerability fix breaks NAT sequence numbers
4371831 Fragmentation Needed but DF bit set message sent out in error
 
(from 109736-01)
 
4328055 ssadm logdump -i file -x0 does not display hex dump of packet
4333069 traffic passes to undefined addresses despite rules
4347894 Vulnerable to the PASV FTP attack that was published  on "bugtraq"
4347899 File containing something that looks like FTP commands could be misinterpreted
4347905 vulnerable to the jolt2.c fragmentation attack


Patch Installation Instructions:
--------------------------------
See Special Install Instructions.


Special Install Instructions:
-----------------------------
 
Installation Instructions for the Administration Station
--------------------------------------------------------
 
1. Become root on the Administration Station.
 
2. If you are running Solaris 2.6 on the administration station, ensure
   that you have already installed the latest version of Solaris patch 106125.
   Version 106125-06 is available on your EFS 3.1 CD. 
 
3. Transfer the patch file to the Administration Station.
 
4. Then type:
 
        # uncompress 109736-13.tar.Z
        # tar xf 109736-13.tar
        # patchadd 109736-13
 
 
Installation Instructions for Locally Administered Screens
----------------------------------------------------------
 
1. Become root on the Screen.
 
2. If you are running Solaris 2.6 on the Screen, ensure that you have 
   already installed the latest version of Solaris patch 106125-06.
   Version 106125-06 is available on your SunScreen EFS 3.1 CD.
 
3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free).
 
4. Type the following:
        # uncompress 109736-13.tar.Z
        # tar xf 109736-13.tar
        # patchadd 109736-13
 
5. Reboot the Screen.
 
 
Instructions for Remotely Administered Screens in Stealth Mode
--------------------------------------------------------------
 
Use this procedure ONLY if you cannot otherwise transfer the patch to 
the Screen.
 
1. Become root on the Administration Station.
 
2. If you are running Solaris 2.6 on the Screen, ensure that you have 
   already installed the latest version of Solaris patch 106125-06.
   Version 106125-06 is available on your SunScreen EFS 3.1 CD.
 
3. Transfer the patch file to the Administration Station.
 
4. Type the following:
        # ssadm -r <Name_of_Screen> patch install < 109736-13.tar.Z
 
Installation Instructions for High Availability (HA) clusters.
--------------------------------------------------------------
 
 
1. Determine which screen is ACTIVE within the HA Cluster using the following
   command on each:
 
        # ssadm ha status
 
2. Follow appropriate patch installation instructions from this README file to 
   install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster 
   (determined from the previous step).
 
3. Be sure to reboot that screen upon completion of the patch installation.
 
4. After the reboot, the screen which the patch was just installed on 
   will come up in PASSIVE mode and some other member of the HA cluster
   will become ACTIVE.
 
5. Repeat steps 1-4 until the patch has been applied to all members of 
   the HA cluster.
 
Notes on patching HA clusters:
 
If the patch is installed on a PASSIVE screen before it is installed on an
ACTIVE screen, the HA daemon ss_had can core dump, this gives symptoms similar
to bug 4347381.
 
The SunScreen HA model works by having 2 or more firewalls in parallel. Both
firewalls see the same packets and hence calculate the same statetable entries.
If a packet matches a statetable entry , then it is passed through the screen.
 
If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. 
Existing connections will still be maintained as the PASSIVE firewall(s)
which has just become ACTIVE will have the statetable entries.
 
Once the originally ACTIVE firewall has been rebooted, it will have an empty
statetable. This firewall will add any new connections made since it was 
rebooted to its statetable, but will not know about connections established
before it was rebooted. If the currently ACTIVE screen is rebooted , some 
connections may get dropped.
 
Its not possible to say exactly how long it will take for both (all) the 
firewalls to have the same statetable entries as this will depend on the
type of connection being passed and the lifetime of this connection. 
Running the following command on both (all) firewalls in the cluster will
give the administrator a good indication of when it is safe to reboot 
the second firewall, without significant loss of service:
 
	# ssadm lib/statetables | grep ESTABLISHED | wc -l
 
 
Instructions for Identifying Patches Installed on System
--------------------------------------------------------
 
1. To identify the patch level on your locally administered Screen,
   type the commands:
 
        # ls -lt /var/sadm/patch > screen.pkginfo
        # pkginfo -l >> screen.pkginfo
 
2. To identify the patch level on your remotely administered Screen
   in stealth mode: 
 
        # ssadm -r <Name_of_Screen> lib/support packages > screen.pkginfo
 
   This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and
   (3) the contents of /var/log/patch.log.
 
3. To identify the patch level on your Administration Station, type 
   the commands:
 
        # ls -lt /var/sadm/patch > admin.pkginfo
        # pkginfo -l >> admin.pkginfo
 
 
Instructions to remove the patch on the Administration Station
--------------------------------------------------------------
 
1. Become root on the Administration Station.
 
2. Then type:
 
        # patchrm 109736-13
 
 
Instructions to Remove the Patch on Locally Administered Screen
---------------------------------------------------------------
 
1. Become root on the Screen.
 
2. Type the following:
 
        # patchrm 109736-13
 
 
Instructions to Remove the Patch on Remotely Administered Screens in 
Stealth Mode
--------------------------------------------------------------------
 
Use this procedure ONLY if you cannot otherwise obtain access to a 
login prompt on the Screen.
 
1. Become root on the Administration Station.
 
2. If you are running Solaris 2.6 on the Screen, ensure that you have 
   already installed the latest version of Solaris patch 106125-06.
   Version 106125-06 is available on your SunScreen EFS 3.1.
 
3. Type the following:
        # ssadm -r <Name_of_Screen> patch backout 109736-13
 
 
Additional Patch Installation Instructions
------------------------------------------
  Refer to the "Install.info" file within the patch for instructions on
  using the generic 'installpatch' and 'backoutpatch' scripts provided
  with each patch.


README -- Last modified date: Friday, November 9, 2012