By Gerry Haskins-Oracle on Jun 23, 2015
Apologies for the rather exasperated tone of this post, but if I had a $1 for every time a 3rd party security scanning tool falsely reported that we're missing a security fix in the Solaris 10 Recommended patchset...
Let me assure you, the Solaris 10 Recommended patchset really does contain all available security fixes for the Solaris OS*.
* In deference to Murphy's Law, I'd better insert a disclaimer that I'm sure there'll be a security fix at some future point in time which is toxic and we may hold off including it until we mitigate its toxicity, but I can't think of a single case where that's occurred in the last 16 years, so let's call that a very rare corner case.
As explained in a previous post, we include the minimum patch revision required to address a security vulnerability.
If there are later patch revisions which contain unrelated bug fixes, we don't bloat the recommended patchset with them. They don't make the system any more secure.
Unfortunately, most 3rd party security scanning tools seem to work on the premise that latest is greatest, looking for just the latest available patch revision, and repeatedly alerting customers that we're missing security fixes from the Recommended patchset when we are not.
As they are our patches, and since the 3rd party tools
have no other patch metadata source than the metadata we supply, then unless our patch metadata gets out of sync
with our patches - which is highly unlikely since they come from
the same system - then customers can be assured that we're best
placed to get our own patch recommendations correct.
Another issue which some 3rd party security scanning tools seem to fail to handle are optionally installed packages - for example, JavaSE 5 or JavaSE 6.
If the packages are not installed, you are not vulnerable to security issues in them. Period. Please check before filing Service Requests.
Remember, the Recommended patchset covers the Solaris OS only, so there may be some value in such scanners for ancillary software such as Solaris Cluster, etc.
Alternatively, just read the latest available Oracle security CPU (Critical Patch Update) PAD (Product Advisory Doc). See also Doc 1272947.1 on MOS.
BTW: The latest Solaris 11 SRU also contains all available OS security fixes.