[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Re:Apache Chunked Vulnerability and Cobalt servers

Subject: [cobalt-users] Re:Apache Chunked Vulnerability and Cobalt servers
From: Chad <chad_ny_01@xxxxxxxxx>
Date: Fri Jun 21 10:54:22 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

<snip>

Thanks, but I'd venture to bet that I might be a notch
higher on the security ladder than you may give me
credit for..  But nonetheless, I do own two of these
little jokers and I'm tired of dealing with
Cobalt/SUN's lack of communication and urgency when it
comes to security issues.. (we're just now getting GCC
and zlib updated on these boxes..? It's been three
months (or more) since those vulnerabilities were
announced..) I had them updated on my other machines
-1 day- after the vulnerabilities were announced, 1
short DAY..!  But I'm _not_ about to go whacking on
little boy blue because he has this nasty habit of
going tits up when you go mucking with things under
the hood.. Esp if you still allow customers to use the
GUI's -which is the whole point of the "appliance"
thing to start with, isn't it.?  I sure didn't buy
them (at top price $2800+ three years ago) for their
fine hardware specs.. Not even at that time..

Little blue is only 2 of my entire fleet (I've sold
off the others), of which only one is used for
production and that's just because they make it easy
to offer ASP and FP to those users who _must_ have
those services (and I personally consider both
services a security risk and that's why I keep them
segregated from other users/machines).. I can then
easily accommodate those users without poising my
other Linux systems - Instead, I've spent the last
year deploying several hardened systems that left
these little boxes behind long ago...  On my other
hardened systems, the focus is on;

1 - Kernel security (2.4.18) as well as kernel ACL.
2 - OpenSSH/BIND/ProFTP run from chroot jail.
3 - Striped Linux libraries for better performance.
4 - GCC 3.1 for improved performance
5 - GLIBC 3.0.3
6 - And running IPTables which is so much better then
IPChains -but requires the 2.4 kernel.

Trust me, I'm no little house wife doing this on the
side for a hobby... This is how I make my living and
put a roof over my head.. and have done so since '95..


>    Actually, if you want to do something
> _productive,_ stop shaking trees (or
> fists) and ask politely if anything is being done to
> deal with this issue.
> Has anyone bothered to actually contact anyone at
> Sun and ask if there's
> anything in the works? 

Yes, several of us, as well as the guys from UK2 whom
have a whole fleet of RaQ3's (see notes from yesterday
morning on security list).. But sadly (typically)
Cobalt's reply was "we'll get back to you and let you
know.." -and yet we (and the masses) still sit here
waiting for the "official" word that the issue is even
being ack much less a release of the updated software
which truly wouldn't (shouldn't) take more than a day
to get out the door -even with good QT..  Instead, I
spent yesterday needlessly watching each (Cobalt) box
by the min to ensure it's not come under attack
(again).. 

When one is DoS'd by this little number (hell forget
the issue now of possible remote exploits that CERT
claims is in the wild) - but when one is DoS'd you'll
find _nothing_ in any of the logs pointing to the
attacker. The only thing you'll find is one line in
the error log noting a parent/child segment fault
-then the box (and all it's services) dies a slow
death over the next 5-10 mins.. The only solution is a
simply reboot.. But I'm not real keen on having to sit
and watch my boxes 24/7 and reboot them every time
some ghoul wants to post some chunked data against
Apache esp when there's a fix available from most all
other vendors except Cobalt/SUN...

> Or are we all too busy
> running around in little
> circles bemoaning how unfair life is?

Please, save it for someone else.. I'm going to go
ahead and give the upgrade a spin on the _non_
production box this eve, which I know I can perform on
any other box, just not confident on doing so on
little blue without blowing out the GUI.. But seeing
how we've yet to even have _confirmation_ of the issue
and/or a fix is in the works from Cobalt/SUN, I guess
those of us seriously concerned (and/or previously
effected) have no other choice but to bit the bullet
and give it a spin... 

I think the time has come to setup another (hardened)
Linux box and deploy ASP/FP on it, so I can finally
chuck little blue on E-Bay once and for all - would
you possibly be interested..? I'll seriously sell it
to you after (around) the first of Aug/Sep -after I've
had time to deploy another system and get my current
users migrated over to the real thing.. because these
two little blue boxes are def heading for E-Bay.. I
don't have any more time to spare sitting around
playing with Cobalt/SUN any-longer.. Nor can I sadly
say that the last three years was a good ride.. It
wasn't..

Cheers!

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Follow-Ups:
- RE: [cobalt-users] Re:Apache Chunked Vulnerability and Cobalt servers
  - From: Peter Masloch
- Re: [cobalt-users] Re:Apache Chunked Vulnerability and Cobalt servers
  - From: Jonathan Michaelson
- [cobalt-users] Re:Apache Chunked Vulnerability and Cobalt servers
  - From: Charlie Summers

Prev by Date: Re: [cobalt-users] email question...
Next by Date: [cobalt-users] Re:Apache Chunked Vulnerability and Cobalt servers
Previous by thread: [cobalt-users] Re: Problem With Web Server
Next by thread: RE: [cobalt-users] Re:Apache Chunked Vulnerability and Cobalt servers

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index