Vulnerability in NTP Solaris 11, and you can correct in the following form
Note that the NTP server is reportedly affected by additional vulnerabilities as well; however, Nessus has not tested for these.
Set in FALSE the Facet Values in order to update and prevent in any other update that version does not change, Now if you want to change them Set in TRUE
# pkg change-facet facet.version-lock.service/network/ntp=false
Packages to change: 1
Variants/Facets to change: 1
Create boot environment: No
Create backup boot environment: Yes
PHASE ITEMS
Removing old actions 1/1
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
# pkg change-facet facet.version-lock.library/security/openssl=false
Packages to change: 1
Variants/Facets to change: 1
Create boot environment: No
Create backup boot environment: Yes
PHASE ITEMS
Removing old actions 1/1
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
Validate the Values Changed
# pkg facet
FACET VALUE SRC
locale.* False local
locale.de True local
locale.de_DE True local
locale.en True local
locale.en_US True local
locale.es True local
locale.es_ES True local
locale.fr True local
locale.fr_FR True local
locale.it True local
locale.it_IT True local
locale.ja True local
locale.ja_* True local
locale.ko True local
locale.ko_* True local
locale.pt True local
locale.pt_BR True local
locale.zh True local
locale.zh_CN True local
locale.zh_TW True local
version-lock.library/security/openssl False local
version-lock.service/network/ntp False local
Update OpenSSL before NTP
# pkg update library/security/openssl
Packages to update: 1
Create boot environment: No
Create backup boot environment: Yes
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 400/400 5.3/5.3 216k/s
PHASE ITEMS
Removing old actions 2/2
Installing new actions 8/8
Updating modified actions 397/397
Updating package state database Done
Updating package cache 1/1
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
# pkg update service/network/ntp@4.2.8.9
# pkg info ntp
Name: service/network/ntp
Summary: Network Time Protocol Daemon v4
Description: Network Time Protocol v4, NTP Daemon and Utilities
Category: System/Services
State: Installed
Publisher: solaris
Version: 4.2.8.9 (4.2.8p9)
Build Release: 5.11
Branch: 0.175.3.17.0.1.0
Packaging Date: January 17, 2017 07:18:58 PM
Last Install Time: May 12, 2017 05:20:11 PM
Size: 5.32 MB
FMRI: pkg://solaris/service/network/ntp@4.2.8.9,5.11-0.175.3.17.0.1.0:20170117T191858Z
# pkg info openssl
Name: library/security/openssl
Summary: OpenSSL - a Toolkit for Secure Sockets Layer (SSL v2/v3) and Transport Layer (TLS v1) protocols and general purpose cryptographic library
Description: OpenSSL is a full-featured toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols as well as a full-strength general purpose
cryptography library.
Category: System/Security
State: Installed
Publisher: solaris
Version: 1.0.2.11 (1.0.2k)
Build Release: 5.11
Branch: 0.175.3.19.0.1.0
Packaging Date: March 23, 2017 11:56:33 PM
Size: 17.01 MB
FMRI: pkg://solaris/library/security/openssl@1.0.2.11,5.11-0.175.3.19.0.1.0:20170323T235633Z
Thanks Charlie for the information
Network Time Protocol Daemon (ntpd) read_mru_list() Remote DoS
[-/+]
Synopsis
The remote NTP server is affected by a denial of service vulnerability.Description
The remote NTP server is affected by a denial of service vulnerability due to improper validation of mrulist queries. An unauthenticated, remote attacker can exploit this, via a specially crafted NTP mrulist query packet, to terminate the ntpd process.Note that the NTP server is reportedly affected by additional vulnerabilities as well; however, Nessus has not tested for these.
Solution
Upgrade to NTP version 4.2.8p9 or later.Risk Factor
High
How to fix the issue, you find the steps in order to correct this problem
Set in FALSE the Facet Values in order to update and prevent in any other update that version does not change, Now if you want to change them Set in TRUE
# pkg change-facet facet.version-lock.service/network/ntp=false
Packages to change: 1
Variants/Facets to change: 1
Create boot environment: No
Create backup boot environment: Yes
PHASE ITEMS
Removing old actions 1/1
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
# pkg change-facet facet.version-lock.library/security/openssl=false
Packages to change: 1
Variants/Facets to change: 1
Create boot environment: No
Create backup boot environment: Yes
PHASE ITEMS
Removing old actions 1/1
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
Validate the Values Changed
# pkg facet
FACET VALUE SRC
locale.* False local
locale.de True local
locale.de_DE True local
locale.en True local
locale.en_US True local
locale.es True local
locale.es_ES True local
locale.fr True local
locale.fr_FR True local
locale.it True local
locale.it_IT True local
locale.ja True local
locale.ja_* True local
locale.ko True local
locale.ko_* True local
locale.pt True local
locale.pt_BR True local
locale.zh True local
locale.zh_CN True local
locale.zh_TW True local
version-lock.library/security/openssl False local
version-lock.service/network/ntp False local
Update OpenSSL before NTP
# pkg update library/security/openssl
Packages to update: 1
Create boot environment: No
Create backup boot environment: Yes
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 400/400 5.3/5.3 216k/s
PHASE ITEMS
Removing old actions 2/2
Installing new actions 8/8
Updating modified actions 397/397
Updating package state database Done
Updating package cache 1/1
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
# pkg update service/network/ntp@4.2.8.9
# pkg info ntp
Name: service/network/ntp
Summary: Network Time Protocol Daemon v4
Description: Network Time Protocol v4, NTP Daemon and Utilities
Category: System/Services
State: Installed
Publisher: solaris
Version: 4.2.8.9 (4.2.8p9)
Build Release: 5.11
Branch: 0.175.3.17.0.1.0
Packaging Date: January 17, 2017 07:18:58 PM
Last Install Time: May 12, 2017 05:20:11 PM
Size: 5.32 MB
FMRI: pkg://solaris/service/network/ntp@4.2.8.9,5.11-0.175.3.17.0.1.0:20170117T191858Z
# pkg info openssl
Name: library/security/openssl
Summary: OpenSSL - a Toolkit for Secure Sockets Layer (SSL v2/v3) and Transport Layer (TLS v1) protocols and general purpose cryptographic library
Description: OpenSSL is a full-featured toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols as well as a full-strength general purpose
cryptography library.
Category: System/Security
State: Installed
Publisher: solaris
Version: 1.0.2.11 (1.0.2k)
Build Release: 5.11
Branch: 0.175.3.19.0.1.0
Packaging Date: March 23, 2017 11:56:33 PM
Size: 17.01 MB
FMRI: pkg://solaris/library/security/openssl@1.0.2.11,5.11-0.175.3.19.0.1.0:20170323T235633Z
Thanks Charlie for the information
Comments