Go to main content

Oracle® Solaris 11.4 Compliance Guide

Exit Print View

Updated: August 2021
 
 

Administering CVE Updates in Oracle Solaris

Systems that contain the most recent security fixes provide a more secure computing environment. Oracle Solaris provides online access to the Common Vulnerabilities and Exposures (CVE) list and other security fixes. The pkg command has options to search for CVE updates.

Monitoring CVE Status in Oracle Solaris

You can monitor the status of critical updates to Oracle Solaris packages by following the information at the Oracle Critical Patch Updates, Security Alerts and Bulletins web site. You should apply critical patch updates without delay.

Locating the Packages That Have CVE Updates in Oracle Solaris

The Oracle Solaris Support package repository contains metadata for tracking security vulnerability fixes by the assigned CVE ID. Oracle Solaris creates a package of this metadata from the Oracle bug database. After installing the package, you can easily determine whether your system has all the known and required security vulnerability fixes. You do not need to derive this information from other sources. Using the Oracle bug database as your source is critically important because sometimes Oracle Solaris fixes a bug in an upstream Free and Open Source (FOSS) component by patching the code rather than by generating a new version of the component.

The metadata package from the Oracle bug database, pkg:/support/critical-patch-update/solaris-11-cpu, covers the entire dependency hierarchy. All packages that were changed for a particular CVE fix are dependencies of the solaris-11-cpu package. They are "optional" dependencies, therefore they are updated if they are already installed, but not installed if the software that is being fixed is not already installed.

The metadata package enables retrospective updates to the critical patch update (CPU) metadata where a shipped version already contains the fix for a given CVE ID. When Oracle Solaris publishes a new CPU, it also publishes a new version of the package to the Oracle Solaris support repository plus the new package versions that contain the fixes.

The version format for the CPU package is @YYYY.MM-VV where VV is usually a low number, as in the CPU package solaris-11-cpu@2014.10-1. This format enables Oracle Solaris to republish critical patch updates within the same month. Note that the day of the month (DD) is not part of the version format.

You can search the metadata by using either the Oracle Solaris Support package repository web site or the command-line interface. You can search for cases where a given CVE ID applies to multiple packages and also where a given package version contains fixes for multiple CVE IDs.

Installing the CPU Package

Your Oracle Solaris 11.4 systems might not have the solaris-11-cpu package installed by default, because this package is higher in the dependency hierarchy than the entire package. You must update to an SRU that includes the solaris-11-cpu package, install the package, then update it.

# pkg install recent-solaris-11-release
# pkg install solaris-11-cpu
# pkg install solaris-11-cpu@latest

After solaris-11-cpu@latest is installed, the system is updated to the SRU version of the CPU. The updating includes all package updates between the SRU of the system and the SRU version of the CPU. For more information and examples, see Applying Support Updates in Updating Systems and Adding Software in Oracle Solaris 11.4 and Critical Patch Update Packages in Updating Systems and Adding Software in Oracle Solaris 11.4.

Managing CVE Updates From the Command Line

The examples in this section show how to use the command line to find CVE information.

Example 29  Several Ways of Listing the Packages That Contain Fixes to a CVE ID

When you know the CVE ID, you can use it to find the packages that contain the fix for it. The following searches find the fix for the bash Shellshock software bug.

  • The pkg search command searches all configured repositories and the local system for the CVE ID. The output lists which packages and versions contain the fix and which CPU delivers it. Note the use of the trailing colon (:) in the search to indicate a missing field.

    $ pkg search CVE-2014-7187:
    INDEX         ACTION VALUE                                                PACKAGE
    CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1
    CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-3
    ...
    CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
    CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
  • Without the trailing colon, the pkg search command lists all solaris-ll-cpu package versions, but does not list the bash package that contains`the fix.

    $ pkg search CVE-2014-7187
      INDEX   ACTION VALUE          PACKAGE
    info.cve  set    CVE-2014-7187  pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1
    info.cve  set    CVE-2014-7187  pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1
    ...
    info.cve  set    CVE-2014-7187  pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
  • The following command displays the CVE ID, the package that contains the fix, and solaris-11-cpu package version:

    $ pkg search -Ho name,value,pkg.shortfmri CVE-2014-7187:
    CVE-2014-7187   pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0    pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1
    ...
    CVE-2014-7187   pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0    pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-1
    ...
    CVE-2014-7187   pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0    pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
  • The pkg contents -r command searches the repository, not the local system, for the packages that fix the bash Shellshock software bug.

    $ pkg contents -Hro value -t set -a name=CVE-2014-7187 solaris-11-cpu
    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0
    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0
    pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0

Because SRUs and CPUs are cumulative, the fix is available after being installed once.

Example 30  Showing When a CVE Fix Was First Available

This example shows that the fix for the bash Shellshock software bug was first available for this system in the solaris-11-cpu@2014.4-1 package and in every following SRU.

$ pkg search -po pkg.shortfmri CVE-2014-7187
PKG.SHORTFMRI
pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1
pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-1
pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-2
...
Example 31  Listing the CVE IDs in a Critical Patch Update

This example shows how to display every fixed CVE in the latest CPU.

$ pkg contents -rHo value -a name=info.cve solaris-11-cpu@latest
CVE-1999-0103 
CVE-2002-2443 
CVE-2003-0001 
CVE-2004-0230
...
CVE-2015-5477
...
Example 32  Verifying That the Latest CPU Is Installed

To determine the status of the latest solaris-11-cpu package, use the pkg list command.

$ pkg list -af solaris-11-cpu@latest
NAME (PUBLISHER)                                  VERSION                    IFO
support/critical-patch-update/solaris-11-cpu      2015.8-1                   ---

Because the i flag is not in the I column, the latest CPU is not installed.

Example 33  Verifying That a Fix for a CVE ID Is Installed

To verify that you installed a fix for a specific CVE ID, search your installed packages for the CVE ID. If it is not installed, no output displays. The pkg search -l command searches the local disk only.

# pkg search -l CVE-2014-7187
INDEX      ACTION VALUE         PACKAGE
info.cve   set    CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1

For more information about options to the pkg command, see the pkg(1) man page.