119214-33 broke LDAP authentication. Why ?

abhisheks77 · 05-21-2017, 01:11 AM

Hello,
I have Solaris-10 x86 running on VMWare. I installed Solaris recommended patch cluster and after that LDAP authentication broke. I was able to login only with root account. Upon further investigation, I found that 119214-33 was the patch, which broke this authentication.
I tried reading about this patch, but still not able to figure out, howcome this patch broke LDAP authentication. Can somebody help me with its finding ?

Quote:

-bash-3.2# cat /var/tmp/10_x86_Recommended/10_x86_Recommended.README | grep 119214-33
119214-33 NSS_NSPR_JSS 3.21_x86: NSPR 4.11 / NSS 3.21 / JSS 4.3.2
-bash-3.2#

Thanks

jlliagre · 05-21-2017, 05:37 AM

What was the previous patch #119214 version installed?

abhisheks77 · 05-21-2017, 11:08 AM

I can see this now

Quote:

-bash-3.2# showrev -p | grep 119214
Patch: 119214-26 Obsoletes: Requires: Incompatibles: Packages: SUNWpr, SUNWtlsu, SUNWjss, SUNWtls
Patch: 119214-29 Obsoletes: Requires: Incompatibles: Packages: SUNWpr, SUNWtlsu, SUNWjss, SUNWtls
-bash-3.2# ls -l /var/sadm/patch/ | grep 119214
drwxr-xr-x 2 root root 6 Aug 20 2014 119214-29
-bash-3.2#

So it means, when I upgrade 119214-29 to 119214-33, it breaks LDAP authentication. I tried reading this link, but not able to figure out - https://getupdates.oracle.com/readme/119214-33

jlliagre · 05-21-2017, 03:02 PM

The patch you rolled back is fixing many vulnerabilities so your system is at risk.

The directory server should be up to date with NSS which it doesn't look to be. Ask the directory server vendor for support.

abhisheks77 · 05-21-2017, 03:32 PM

119214-29 is already on server. As of now, till I find what was broken, I have to live with 119214-29.
I will check with vendor support

jlliagre · 05-21-2017, 04:18 PM

Yes, without 119214-33 your system suffer from several vulnerabilities.

abhisheks77 · 05-21-2017, 04:36 PM

I am just trying to understand risk factor/level.
119214-29 was already there. I patched the server with other patched except 119214-33. Is my server as vulnerable as pre-patch or it became more vulnerable after applying patches, excluding 119214-33 ?

Let me give you some background on this. We were facing a issue of server panic occasionally, like once in a month. So we got suggestion to apply latest patch cluster. We applied it and LDAP authentication broke. Then we restored server and again applied patch excluding 119214-33. This is development environment and we need to apply same on production environment next week. That is the reason, I want to know, if patching server (without 119214-33) will make it more vulnerable than before-patch environment ?

jlliagre · 05-21-2017, 05:31 PM

You system was vulnerable and still is as far as NSS is concerned. You are missing almost three years of security fixes.

Unexplained panics should reported and analyzed by the support.

abhisheks77 · 05-21-2017, 05:38 PM

Thanks. I will take it up with support