CVE-2021-3156 sudo @ Solaris

ohhhh – base scoring 7.8 – but only because it is a local issue, but are your users your friends? Affecting sudo legacy versions 1.8.2 through 1.8.31p2 and stable versions 1.9.0 through 1.9.5p1
It is quite easy to use this heap-based buffer overflow vulnerability and i hope it will be fixed in the next SRU30 for 11.4. Until SRU30 comes out, still might takes some days, you can use an IDR patch for Solaris – don’t know how long a new LSU build will take for 11.3 extended support.
Solaris 11.4 SRU29 -> idr4690.1
Solaris 11.3 LSU 36.24.0 -> idr4691.1
Solaris 10 ? -> Oracle says “pending resolution”

Oracle Support Document 2052590.1 (Reference Index of CVE IDs and Solaris Security IDRs) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=2052590.1

Another reason why you should use pfexec on Solaris πŸ˜‰

Happy patching

[UPDATE] 17-FEB 2021
Oracle released Solaris 11.4 update including the fixes for this sudo miracle -> Solaris 11.4 SRU 30 (11.4.30.88.3)

2 thoughts on “CVE-2021-3156 sudo @ Solaris”

  1. Curious question. The same Pressy that used to play Unreal Tournament Sniper camper for SAS?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.