search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenVMS page management vulnerability

Vulnerability Note VU#10031

Original Release Date: 2003-06-01 | Last Revised: 2004-03-23


Old versions (circa 1993) of OpenVMS and OpenVMS AXP contain a vulnerability related to page management.


There is a vulnerability related to page management in old versions (circa 1993) of Open VMS. An exploit for this vulnerability, written in MACRO-32, was available at the time this vulnerability was first reported. No other details are currently available. See also CERT Advisory CA-1993-05.


An unprivileged user on a VMS system can gain full system privileges.


Upgrade to a recent (post 1993) version of OpenVMS. If you are still using an old version of OpenVMS, apply a patch as decribed in CERT Advisory CA-1993-05.

Vendor Information


Hewlett-Packard Company Affected

Updated:  May 31, 2003



Vendor Statement


     SOURCE:            Digital Equipment Corporation
     AUTHOR:            Software Security Response Team
                        Colorado Springs USA

             PRODUCT: OpenVMS V5.0 through V5.5-2 & OpenVMS AXP V1.0

             PROBLEM: Potential Security Vulnerability - OpenVMS

             SOLUTION: A remedial kit is now available for
                       OpenVMS AXP V1.0 and OpenVMS V5.0 through
                       V5.5-2 (including all SEVMS versions V5.1 through
                       V5.5-2 as applicable) by contacting your normal
                       Digital Services Support organization.

             SEVERITY LEVEL: High

     This potential vulnerability has been corrected in the next release of
     OpenVMS V6.0 and OpenVMS AXP V1.5.  For VMS Versions prior to
     OpenVMS V5.0, Digital strongly recommends that you upgrade to a
     minimum of OpenVMS V5.0 and further, to the latest release of
     OpenVMS V5.5-2.

           The remedial kits may be identified as:

                VAXSYS01_U2050   VMS V5.0, V5.0-1, V5.0-2
                VAXSYS01_U1051   VMS V5.1
                VAXSYS01_U1052   VMS V5.2
                VAXSYS01_U2053   VMS V5.3 thru V5.3-2
                VAXSYS01_U3054   VMS V5.4 thru V5.4-3
                VAXSYS02_U2055   OpenVMS V5.5 thru V5.5-2
                AXPSYS01_010     OpenVMS AXP V1.0

     Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved.
     Published Rights Reserved Under The Copyright Laws Of The United States.


     This update kit corrects a potential security vulnerability in
     the OpenVMS VAX and OpenVMS AXP operating systems.  This potential
     vulnerability may be further exploited in the form of a malicious program
     that may allow authorized but unprivileged users to obtain all system
     privileges, potentially giving the unprivileged user control of your
     OpenVMS system and data.


     The update kit must be applied if an update or installation is performed
     for all versions prior to OpenVMS V6.0 or OpenVMS AXP V1.5.  For VMS
     Versions prior to OpenVMS V5.0, Digital strongly recommends that
     you upgrade to a minimum of OpenVMS V5.0 and further to the
     latest release of OpenVMS V5.5-2.


     Digital strongly recommends that you install the available kit on your
     system(s), to avoid any potential vulnerability as a result of this

     Customers with a Digital Services contract may obtain a kit for the
     affected versions of OpenVMS by contacting your normal support

     -  In the U.S. Customers may contact the Customer Support Center
        at 1(800)354-9000 and request the appropriate kit for your version
        of OpenVMS, or through DSNlink Text Search database using the
        keyword text "Potential Security Vulnerability", or DSNlink VTX using
        the patch number 1084.

     -  Customers in other geographies should contact their normal Digital
        Services support organizations.

     As always, Digital recommends you to regularly review your system
     management and security procedures.  Digital will continue to review and
     enhance security features, and work with our customers to further improve
     the integrity of their systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


This statement above was released by Digital Equipment Corporation, which was acquired by Compaq Computer Corporation. Compaq merged with Hewlett-Packard in May, 2002.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Digital Equipment Corporation for reporting this vulnerability.

This document was written by Shawn V Hernan.

Other Information

CVE IDs: CVE-1999-1312
CERT Advisory: CA-1993-05
Severity Metric: 0.43
Date Public: 1993-03-01
Date First Published: 2003-06-01
Date Last Updated: 2004-03-23 22:07 UTC
Document Revision: 3

Sponsored by CISA.