X

News, tips, partners, and perspectives for the Oracle Solaris operating system

The Solaris 10 Recommended patchset really does contain ALL available OS security fixes!

Gerry Haskins
Director Security and Release Management

Hi Folks,

Apologies for the rather exasperated tone of this post, but if I had a $1 for every time a 3rd party security scanning tool falsely reported that we're missing a security fix in the Solaris 10 Recommended patchset...

Let me assure you, the Solaris 10 Recommended patchset really does contain all available security fixes for the Solaris OS*.

* In deference to Murphy's Law, I'd better insert a disclaimer that I'm sure there'll be a security fix at some future point in time which is toxic and we may hold off including it until we mitigate its toxicity, but I can't think of a single case where that's occurred in the last 16 years, so let's call that a very rare corner case.

As explained in a previous post, we include the minimum patch revision required to address a security vulnerability. 

If there are later patch revisions which contain unrelated bug fixes, we don't bloat the recommended patchset with them.  They don't make the system any more secure.

Unfortunately, most 3rd party security scanning tools seem to work on the premise that latest is greatest, looking for just the latest available patch revision, and repeatedly alerting customers that we're missing security fixes from the Recommended patchset when we are not.

As they are our patches, and since the 3rd party tools
have no other patch metadata source than the metadata we supply, then unless our patch metadata gets out of sync
with our patches - which is highly unlikely since they come from
the same system - then customers can be assured that we're best
placed to get our own patch recommendations correct.

Another issue which some 3rd party security scanning tools
seem to fail to handle are optionally installed packages - for example,
JavaSE 5 or JavaSE 6.

If the packages are not installed, you are not vulnerable to security issues in them.  Period.  Please check before filing Service Requests.

Remember, the Recommended patchset covers the Solaris OS only, so there may be some value in such scanners for ancillary software such as Solaris Cluster, etc. 

Alternatively, just read the latest available Oracle security CPU (Critical Patch Update) PAD (Product Advisory Doc).  See also Doc 1272947.1 on MOS.

BTW: The latest Solaris 11 SRU also contains all available OS security fixes.

Best Wishes,

Gerry.

Join the discussion

Comments ( 3 )
  • guest Wednesday, June 24, 2015

    And can I have $1 for every time a CVE on OSS code was obviously impacting Solaris, and when called, Support denied its very existence?

    Because it might contain every *available* patch - CVE's for which there are none available, Oracle won't say a word about them.

    An ignorant customer is a satisfied customer, or something.

    Lucky that RedHat has some information on how to mitigate them.

    Boasting about how Oracle's security by obscurity is a great thing - awesome.


  • guest Monday, June 29, 2015

    Thanks... we've been scanning using Foundstone, and that has both the problems you noted.

    Do you have a suggestion on the best way to be sure that a particular vulnerability has been patched? Can we search support for CERT numbers, for example?

    Thank you.

    --

    David Strom


  • Gerry Monday, August 24, 2015

    Hi David,

    The quarterly Critical Patch Update (CPU) Product Advisory Documents (PADs) contains lists of CVE numbers addressed by the product.

    For example, search MOS by "Solaris July 2015 CPU doc", and it returns doc 2018633.1 at the top of the list.

    This doc lists all the CVEs newly addressed this quarter and the minimum release of Solaris, LDoms (VM Server for SPARC), Cluster, and firmware which contained the fixes.

    The Reference section at the bottom links to previous docs, providing a daisy chain.

    Best Wishes,

    Gerry.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.