-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0059 Title: Vulnerability in the Oracle Grid Engine component of Oracle Sun Products Suite [1,2] Version history: 30.04.2012 Initial publication Summary ======= Two critical vulnerabilities have been identified in the Oracle Grid Engine component of Oracle Sun Products Suite: 1) Oracle Grid Engine 'qrsh' Remote Code Injection Vulnerability. [3] Attackers can exploit this vulnerability over the 'RSH' protocol by executing arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of the affected computers. CVE-2012-0208 CVSS v2 Base Score: 9.0 (CRITICAL) (AV:N/AC:L/Au:N/C:C/I:C/A:C).[5] 2) Oracle Grid Engine 'sge_passwd.c' Local Buffer Overflow Vulnerability [4] Attackers can exploit this vulnerability over the 'RSH' protocol by executing arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of the affected computers. Failed exploit attempts will result in a potential denial of service. CVE-2012-0523 CVSS v2 Base Score: 7.2 (CRITICAL) (AV:L/AC:L/Au:N/C:C/I:C/A:C).[5] Affected Products and Versions ============================== Oracle Grid Engine versions 6.1 and 6.2 What can you do? ================ Deploy the updated versions provided by the vendor [1,2]. What to tell your users? ======================== N/A More information ================ [1] http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html [2] http://www.oracle.com/technetwork/topics/security/cpuapr2012verbose-366316.html [3] http://www.securityfocus.com/bid/53123/discuss [4] http://www.securityfocus.com/bid/53132/solution [5] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPnnGjOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MHUg//al1JM21T QSeIA7T5lcAeJizBR2kw1DEr0AJbpHuPax3AGmgnPq9+UMV4F6INowY6szl15fk4 6qXzaqHRk9AcESFgR1tcpiq5dwbvJyrzvcahcdXrQAWAEdXBXz1IVXOuit3P28qb 9iZmbrNLX6juBi4YlWP+TVTrV1A+t3WgBuT+Ra6B643zf8oID1deUwrbWJY/ibxp kHPySj5U5DAM5OmO+ron4Qlq3v8Ql02OkuS+QPfthd4jZtCE6lMifdzI+cZHLLSz XArZsD45ohxs8aztgRFQpBzqnWRl5/uMXWiMVmKsqM5XcWG4YOcDVR90ZyTuihyz 2lvd24ggr1oR3cBls88e/KXSNy5L1iskkGRC369tARwprc2cYkt3alzjlmOEf/5J cVWKEd6dMovAiYdnWwdIgZVQI6KIrSJ9T1k8uK5+YqpzTm83dqPU6DvM6c+LhXnm DKrZVPLAiuIFhNJMTXH+OmxnxxAv9efZAoyEQ+dJvrkPof44TfbXAm0UxO4IeVgw /WveoeIFWZfiQPbYeMfz91ypCvGirFSTZjWYVuGNZ2AUXzGUOn5iJlxxl+zWpdug MCp45aZf1cMmxQTW9eLvV9+0dhuUYRAiCGawqNokLGJMChLEpf+bpmsKI4x1wikR ACXMrG0qz2RdNyZMy0p1oF1YWAzcuGX2OQY= =4sRR -----END PGP SIGNATURE-----