> I apologise if I'm misunderstanding you, but it seems to me that this > issue can only be initiated by a privileged user on a domain. If one domain can be broken into, and a Solaris kernel module is loaded which then crashes that one domain, the entire machine eventually has to be powered off to recover that one domain. > The only system immediately affected is that particular domain. That is WRONG. The long-term uptime of all other domains on the machine are eventually impacted because the entire physical machine must, after a service call to Sun, eventually be powered down. Management eventually has to decide to impact the SLA's of all domains. That means that Sun's promise of isolation is bunk. > The > removal of service from the other domains is a system/service > management decision, rather than an exploit of some kind. That is wrong, too. If any of the other domains were supposed to meet five 9's SLA's, then the failure of one domain on that physical hardware would impact the SLA's of all the other domains. > That's why I don't view it as a DoS vulnerability. How absolutely bizzare. Basically you spend half a million dollars on Sun hardware, and it isn't required to do this better than VMWare? In fact, it does it worse than VMWare. I am just stunned at your acceptance of a serious problem. > If you exploit this on your > own domain, which then becomes unavailable then, frankly, tough. If you exploit this on one domain, the other domains must all eventually be powered off. Compare this to VMWare. If an OS running inside VMWare was able to cause a situation making it neccessary to reboot the host environment and restart all VMWare instances, it would be considered a very serious and significant security problem for VMWare. It would be all over the news. (And at least with VMotion you can move the instances to another machine; with Sun you cannot). This issue is very significant. > You > wait until the frame administrators choose to power cycle the other > domains to bring you back. And what if your SLA's say that you are supposed to only go down for a maximum of 3 hours a year, yet you need that dead domain back immediately? > You stated in your original message that this is a high-end frame, of > the kind generally used by financial institutions etc. I would > imagine any system which warrants this kind of hardware would have > some level of redundancy or DR. Oh great! Sun is off the hook for selling something which doesn't work, and their customers must mitigate against it themselves. Utterly ridiculous.
