Tuesday Jun 23, 2015

The Solaris 10 Recommended patchset really does contain ALL available OS security fixes!

Hi Folks,

Apologies for the rather exasperated tone of this post, but if I had a $1 for every time a 3rd party security scanning tool falsely reported that we're missing a security fix in the Solaris 10 Recommended patchset...

Let me assure you, the Solaris 10 Recommended patchset really does contain all available security fixes for the Solaris OS*.

* In deference to Murphy's Law, I'd better insert a disclaimer that I'm sure there'll be a security fix at some future point in time which is toxic and we may hold off including it until we mitigate its toxicity, but I can't think of a single case where that's occurred in the last 16 years, so let's call that a very rare corner case.

As explained in a previous post, we include the minimum patch revision required to address a security vulnerability. 

If there are later patch revisions which contain unrelated bug fixes, we don't bloat the recommended patchset with them.  They don't make the system any more secure.

Unfortunately, most 3rd party security scanning tools seem to work on the premise that latest is greatest, looking for just the latest available patch revision, and repeatedly alerting customers that we're missing security fixes from the Recommended patchset when we are not.

As they are our patches, and since the 3rd party tools have no other patch metadata source than the metadata we supply, then unless our patch metadata gets out of sync with our patches - which is highly unlikely since they come from the same system - then customers can be assured that we're best placed to get our own patch recommendations correct.

Another issue which some 3rd party security scanning tools seem to fail to handle are optionally installed packages - for example, JavaSE 5 or JavaSE 6.

If the packages are not installed, you are not vulnerable to security issues in them.  Period.  Please check before filing Service Requests.

Remember, the Recommended patchset covers the Solaris OS only, so there may be some value in such scanners for ancillary software such as Solaris Cluster, etc. 

Alternatively, just read the latest available Oracle security CPU (Critical Patch Update) PAD (Product Advisory Doc).  See also Doc 1272947.1 on MOS.

BTW: The latest Solaris 11 SRU also contains all available OS security fixes.

Best Wishes,


Friday Sep 26, 2014

Solaris SRUs, patches, and IDRs available on MOS for bash vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

SRUs, Patches, and IDRs (Interim Diagnostics & Relief) are available from My Oracle Support, support.oracle.com for all supported Solaris releases to address the recent critical bash vulnerabilities, CVE-2014-6271, CVE-2014-7169.

Newer IDR revisions are available on MOS which additionally address the less critical "mop up" vulnerabilities, CVE-2014-7186, CVE-2014-7187.  Patches and SRUs will follow for these too.

See MOS Doc ID 1930090.1 for details.

Many thanks to the folks around the globe who have been working tirelessly over the last 48 hours to code, test, and release these SRUs, patches, and IDRs - from Australia to India to the Czech Republic to Ireland and the US.

I sincerely apologise for the delay in proactively communicating these fixes to you.   That was outside of my control.

Best Wishes,


Friday Oct 19, 2012

October 2012 Security "Critical Patch Update" (CPU) information and downloads released

The October 2012 security "Critical Patch Update" information and downloads are now available from My Oracle Support (MOS).

See http://www.oracle.com/technetwork/topics/security/alerts-086861.html and in particular Document 1475188.1 on My Oracle Support (MOS), http://support.oracle.com, which includes security CVE mappings for Oracle Sun products.

For Solaris 11, Doc 1475188.1 points to the relevant SRUs containing the fixes for each issue.  SRU12.4 was released on the CPU date and contains the current cumulative security fixes for the Solaris 11 OS.

For Solaris 10, we take a copy of the Recommended Solaris OS patchset containing the relevant security fixes and rename it as the October CPU patchset on MOS.  See link provided from Doc 1475188.1

Doc 1475188.1 also contains references for Firmware, etc., and links to other useful security documentation, including information on Userland/FOSS vulnerabilities and fixes in https://blogs.oracle.com/sunsecurity/

This blog is to inform customers about patching best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. ~~~~~~~~~~~~ Gerry Haskins, Director, Software Lifecycle Engineer


« December 2015