Thursday Dec 16, 2010

Index of Security Sun Alerts and Mappings for Legacy SunSolve Links

SunSolve support portal was replaced by (My Oracle Support) earlier this week. All Security Sun Alerts are now accessible to customers through website. Old URLs pointing to with Sun Alert document IDs do not redirect automatically to their new URLs on The Document ID numbers under Oracle support portal are new and different from the document ID numbers published under SunSolve.

To make referring to these Sun Alerts easier, we are providing a mapping of the old Sun Alert IDs to new Oracle IDs and an archive of Sun Alerts at:

SunSolve itself had transitioned to different knowledge management systems resulting in multiple legacy document IDs for the same Sun Alert. The above mapping also lists any such previously used ID numbers and URLs formats.

New Security Sun Alerts are no longer published as of April 2010. Customers are alerted about Security vulnerabilities using Oracle Security Alert process. Details can be found on the Critical Patch Updates and Security Alerts site.

Tuesday Nov 06, 2007

Reference document for security Sun Alerts

The Sun Security Coordination Team has published a reference document for security Sun Alerts at:

This document includes information on Preliminary and Workaround Sun Alerts, various sections in the body of a Sun Alert, definitions of frequently used vulnerability related terminology (such as 'local user', 'remote user', 'execution of arbitrary code' and so on) and a brief summary of Sun's response to security vulnerability reports.

Monday Jul 30, 2007

Fresh Look:

A few months ago, started off in a new direction. The goal was to provide a large and highly visible stage for anyone within Sun who wanted to share their thoughts about security. Per the announcement:

If you are member of the Sun security community, and if you have something to say, where do you go to talk about the whole panoply of security? To where should you direct your voice? The answer, now, is here,

The goal of this effort was simple. It enabled Sun's security community to:

provide a point of consolidation, where people can find postings and feeds pertinent to their preferred topics - Security Alerts, Tips, New Products, Announcements of "Pertinent Stuff" internal and external to Sun - where you can find personally written content with a high signal-to-noise ratio, and where you can have conversations through comments, cross-linking, providing the immediacy which is a cornerstone of the modern web.

A lot of great content has been shared in this forum and across since that posting. In addition, the announcement said that:

Over the coming weeks there will be evolution and change, and you'll be hearing from real Sun people with real interest in security.

Well, it was more than just a few weeks, but it is certainly in this spirit that I am happy to announce the newly updated security landing page at This page has been revamped by real Sun people with real interest in security and this is just the beginning. We will be bringing you fresh news and content on a regular basis, will be working to update the rest of the security pages in the very near future, and will be working towards even closer integration with

For Sun employees, if you want your security postings to be visible on, you need only to tag your blog posting with the keyword security.

Check it out and let us know what you think!

Tuesday May 01, 2007

SLOTD: the risk of not understanding blogs

Today's SLOTD is a thought-piece - I'm not going to talk directly about the / HD-DVD key story which you can perfectly-well read about for yourselves and thereby keep more up-to-date with a dynamic story than is possible by reading my witterings; moreover there are many viewpoints on the underlying question of using encryption to "protect" digital media which retailers "sell" (or perhaps "license"?) to everyday people who buy them in aggregate with small shiny plastic disks, and there are wiser people than I who work for Sun who I intend to chivvy about writing about this topic in the future.

Hello, Susan. :-)

However, last week I posted a video about web2.0 security and am in some ways delighted that an example of the gap I didn't cover, coming to the public consciousness so soon.

Our fearless leader two years ago was described and quoted thusly:

Blogging's advantage, from his perspective, is in the transparency and authenticity that nothing else can provide. With more than 1000 company bloggers, people can see inside Sun in ways that are infinitely more valuable than Federal governance regulations. 'Executives are missing a point. There is no perfect truth despite transparency.' He argued that SEC requirements for quarterly reporting is far from as revealing as 1000 Sun bloggers talking about 'the guts of the company,' on a daily basis in a public forum.


From Schwartz' perspective, blogging is not an appendage to Sun's marketing communications strategy, it is central to it. He believes that the 1000 Sun bloggers contribution hasn't just moved the needle for the company, 'they've moved the whole damned compass. The perception of Sun as a faithful and authentic tech company is now very strong. What blogs have done has authenticated the Sun brand more than a billion dollar ad campaign could have done. I care more about the ink you get from developer community than any other coverage. Sun has experienced a sea change in their perception of us and that has come from blogs. Everyone blogging at Sun is verifying that we possess a culture of tenacity and authenticity.'

...and the flipside of that is summed-up in a nutshell: if you manage to do something which trashes your authenticity, makes you look artificial, opaque, plastic, or disrespectful of the members of your community, then you can suffer in a way that hasn't really had adequate comparison since the days of tar & feathers, stocks or other forms of community social humiliation.

Sun Microsystems has its own internal vocabulary, and one of the phrases which used to be common was that of the CNN Moment - a "damaging public infrastructure failure often experienced by dot-com enterprises" which presumably would be big enough and embarrassing enough to end up on the front page of the eponymous website.

What I am finding is less obvious to some of my colleagues (and customers) is that as mainstream media websites become less relevant, blogs and other communities become more relevant in terms of how people will perceive you and your company; and the distributed nature of blogs means that stories don't get retracted, they get amplified.

So nowadays we should fear "blog moments", or perhaps social-tar-and-feathering, since once humiliation is stuck to your brand then it's awfully hard to wash off.

So there's your security risk for today, and its respective mitigation: if you're going to engage with your community then do respect them and don't junk those amongst them with whom you have an issue; instead you need to engage with your community about the underlying problem - eg: "Our advisers think this is a legal risk to us, so we're very sorry but we're suspending this thread until we sort this out..." - and you'll come out of it a lot cleaner, and with fewer feathers.

And sadly there is no shortcut. No amount of firewalls, VPNs, privilege management, cryptography or methodology will save you from the business risk of not "getting it".

- alec

Thursday Apr 26, 2007

SLOTD: why buy a firewall?

OK - so I was at a very interesting customer today, and conversation swung around to "defense-in-depth" and that bastion of IT security, the firewall.[1]

We were in the midst of some on-the-fly rearchitecture discussion (read: "if we replumb it all in a more elegant fashion, what needs to be fixed or added in order to make it safe?") and it turned out that an extra firewall to demarcate a line between some public and private machines, would make matters a lot more secure.

"It'll cost a lot, this new firewall", says their long-haired sysadmin.

"Why", says I?

"Firewall license" says he, and names a largeish four-figure number. Eek. That's more than the hardware!

So one of the things I've never understood - and I've told him this - is why the "Cult Of Firewall" is such that only a "dedicated box or appliance" running "genuine firewall software" for which $$$$$$ are paid, is what people go running towards whenever firewalls are mentioned.

Sure, in an enterprise context where people bandy words like "five nines" (ie: 99.999% uptime) - or "extreme(ly) high availability", or where you need "management consoles" - then do buy an enterprise solution where you might be able to sue the vendor if it blows up.

But if you are a small-to-medium organisation with your own in-house pet geeks, then why not take advantage of general-purpose functionality of general-purpose operating systems and deploy Solaris, Linux or \*BSD as a firewall? Consider your choice carefully, minimise it to the utmost, but it'd be a lot cheaper and often perfectly adequate and more than adequately performant.

I started at Sun in 1992 and if I had had more business sense back then, and if I had had more money, then I would have cottoned on to the number of SparcStation2's that I was buying, to act as "routers" for our intranet. This observation might have led me to invest in Cisco and its dedicated routers, and made me a tidy profit. Oh well.

But the thing about IT security is that "what goes around, comes around". Maybe it's time for the comeback of the general-purpose operating system, in tiny tasks, on more-than-adequately-powerful hardware?

- alec

[1] yes, this is an intentional pun. :-)

Tuesday Apr 17, 2007

2007-04-17 Security Link Of The Day

I asked Susan Landau about the new edition of Privacy On The Line which is just out, and she kindly answered in the third person:

Whitfield Diffie and Susan Landau have updated their book on crypto and wiretap policy, "Privacy on the Line: The Politics of Wiretapping and Encryption."

The revised book details the arguments between the U.S. government and industry and academic researchers over encryption and the right to use strong encryption in the public domain - a battle that was won in 2000, when the U.S. government agreed to the export of strong crypto in most high-tech products. But there remain other issues, including the U.S. government's effort to apply the Communications Assistance for Law Enforcement Act to VoIP, a "solution" for wiretapping that potentially creates major security holes.

Diffie and Landau's updated and expanded version of Privacy on the Line covers these and related issues (including the NSA warrantless wiretapping); Ron Rivest, the co-inventor of the RSA algorithm, says, "This revised edition of Diffie and Landau's classic work brings their treatment fully up to date. Essential for anyone interested in the technology, history, and politics of communications privacy."

Whitfield Diffie is Chief Security Officer of Sun, and co-inventor of public-key crypto, which amongst other achievements is what enables ecommerce.

Susan Landau is a Sun Distinguished Engineer focusing on the intersection of security, crypto, and public policy, and currently working on issues of digital-rights management and surveillance issues.

Now all I need to do is get Susan blogging. :-)

- Alec

Friday Apr 06, 2007

2007-04-06 Security Link Of The Day

So what happens if by hook or by crook someone breaks into your Solaris system and installs a trojan horse? Modifies the password file? Deletes a few old logfiles?

Or what if you run a heavily change-controlled system environment, and you need to know whether anything has been changed outside of the scope of your operational processes?

There's a solution built-in to Solaris 10: bart - Basic Audit & Reporting Tool, a truly boringly-named tool which does something both useful and interesting:

BART provides a quick and easy way to collect information on filesystem objects and their attributes so that, at a later time, you can determine whether there have been any changes. BART can help you detect accidental or malicious changes to files within an operating system due to either a security incident or change management incident.

BART is able to collect such information as an object's UID, GID, permissions, access control lists, modification time, size, and type. In addition, for files, BART generates an MD5 fingerprint from the contents of the file. For a full list of the attributes that can be collected, see the bart_rules(4) manual page.

There's a lovely white paper "blue print" explaining all this, available for download (nb: PDF document ; apparently HTML was neither pretty enough nor impressive enough) along with the rest of the Sun Security BluePrints some of which we'll be spolighting individually over the next few weeks.

- Alec

Tuesday Mar 27, 2007

A new direction for


One of the biggest challenges that Sun's security community - all of the security community, the kernel folk, the applications folk, the Java evangelists, the hardware geeks, the integrators, the cryppies, the researchers, the legal beagles, the politicians, and the just plain interested - one of if not the greatest challenge is "how can we talk with the customer whilst using a single voice?"

It's easy for product-focused groups; when you create a security widget, hoodjamaflip or doohickey there usually comes a product marketeer who expounds relentlessly about your nifty thing at every opportunity, so that interest catches light and sets aflame many imaginations - and product sales follow.

Or, at least, that's how it's supposed to work. Regarding security, things can be a little different.

The challenge is summed up in the very terminology of Sun's approach to "Systemic Security" - it's inarguable that security is holistic, the summation of good code running on good hardware, properly installed and integrated into its larger environment, with availability, integrity and robustness for all.

So who is your product marketer for the entire stack? Aside from you, who can talk about the wider issues, the architectural big pictures or the knock-on benefits you can get from leveraging one tiny, under-advertised feature of a much larger product like Solaris?

If you are member of the Sun security community, and if you have something to say, where do you go to talk about the whole panoply of security? To where should you direct your voice?

The answer, now, is here,

This is not to say that Sun security folk should abandon their own blogs - heavens, no! Absolutely not. No no no no no! That's not the point at all. Please be clear about that. Please keep blogging.

In addition, here at we hope to provide a point of consolidation, where people can find postings and feeds pertinent to their preferred topics - Security Alerts, Tips, New Products, Announcements of "Pertinent Stuff" internal and external to Sun - where you can find personally written content with a high signal-to-noise ratio, and where you can have conversations through comments, cross-linking, providing the immediacy which is a cornerstone of the modern web.

For the Sun employee: if you want to post something, or if you'd like to see a pointer to something you've blogged be added, then drop us a line via e-mail. We'll be in touch. Promise. In the meantime get a blog on, if you've not got one already.

For the non-Sun reader: Sun Alerts will continue to be posted here by the Sun Security Co-ordination Team; so there will be no change there; but if you haven't already, please bookmark this site or add it to your feeds. Articles, pointers to other articles, and suggestions for postings are welcome. Just add a comment.

If you desire strictly alerts-only traffic, all the security Sun Alerts will continue to be posted into the Security Alerts Category, which already has a specific RSS feed at .

Over the coming weeks there will be evolution and change, and you'll be hearing from real Sun people with real interest in security. The sidebar will expand, the header too. We're also looking towards better integration with the website. It would be nice to have something approaching a one-stop shop for anyone who wants to know about Sun and our Security offerings.

For now, though, please keep watching. We hope you'll like the changes.

alec (


This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« July 2016