Systems that contain the most recent security fixes provide a more secure computing environment. Oracle Solaris provides online access to the Common Vulnerabilities and Exposures (CVE) list and other security fixes. The pkg command has options to search for CVE updates.
You can monitor the status of critical updates to Oracle Solaris packages by following the information at the Oracle Critical Patch Updates, Security Alerts and Bulletins web site. You should apply critical patch updates without delay.
The Oracle Solaris Support package repository contains metadata for tracking security vulnerability fixes by the assigned CVE ID. Oracle Solaris creates a package of this metadata from the Oracle bug database. After installing the package, you can easily determine whether your system has all the known and required security vulnerability fixes. You do not need to derive this information from other sources. Using the Oracle bug database as your source is critically important because sometimes Oracle Solaris fixes a bug in an upstream Free and Open Source (FOSS) component by patching the code rather than by generating a new version of the component.
The metadata package from the Oracle bug database, pkg:/support/critical-patch-update/solaris-11-cpu, covers the entire dependency hierarchy. All packages that were changed for a particular CVE fix are dependencies of the solaris-11-cpu package. They are "optional" dependencies, therefore they are updated if they are already installed, but not installed if the software that is being fixed is not already installed.
The metadata package enables retrospective updates to the critical patch update (CPU) metadata where a shipped version already contains the fix for a given CVE ID. When Oracle Solaris publishes a new CPU, it also publishes a new version of the package to the Oracle Solaris support repository plus the new package versions that contain the fixes.
The version format for the CPU package is @YYYY.MM-VV where VV is usually a low number, as in the CPU package firstname.lastname@example.org. This format enables Oracle Solaris to republish critical patch updates within the same month. Note that the day of the month (DD) is not part of the version format.
You can search the metadata by using either the Oracle Solaris Support package repository web site or the command-line interface. You can search for cases where a given CVE ID applies to multiple packages and also where a given package version contains fixes for multiple CVE IDs.
Your Oracle Solaris 11.4 systems might not have the solaris-11-cpu package installed by default, because this package is higher in the dependency hierarchy than the entire package. You must update to an SRU that includes the solaris-11-cpu package, install the package, then update it.
# pkg install recent-solaris-11-release # pkg install solaris-11-cpu # pkg install solaris-11-cpu@latest
After solaris-11-cpu@latest is installed, the system is updated to the SRU version of the CPU. The updating includes all package updates between the SRU of the system and the SRU version of the CPU. For more information and examples, see Applying Support Updates in Updating Systems and Adding Software in Oracle Solaris 11.4 and Critical Patch Update Packages in Updating Systems and Adding Software in Oracle Solaris 11.4.
The examples in this section show how to use the command line to find CVE information.Example 29 Several Ways of Listing the Packages That Contain Fixes to a CVE ID
When you know the CVE ID, you can use it to find the packages that contain the fix for it. The following searches find the fix for the bash Shellshock software bug.
The pkg search command searches all configured repositories and the local system for the CVE ID. The output lists which packages and versions contain the fix and which CPU delivers it. Note the use of the trailing colon (:) in the search to indicate a missing field.
$ pkg search CVE-2014-7187: INDEX ACTION VALUE PACKAGE CVE-2014-7187 set pkg://email@example.com,5.11-0.175.2.2.0.8.0 pkg:/firstname.lastname@example.org CVE-2014-7187 set pkg://email@example.com,5.11-0.175.2.2.0.8.0 pkg:/firstname.lastname@example.org ... CVE-2014-7187 set pkg://email@example.com,5.11-0.175.2.2.0.8.0 pkg:/firstname.lastname@example.org CVE-2014-7187 set pkg://email@example.com,5.11-0.175.2.3.0.4.0 pkg:/firstname.lastname@example.org
Without the trailing colon, the pkg search command lists all solaris-ll-cpu package versions, but does not list the bash package that contains`the fix.
$ pkg search CVE-2014-7187 INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/email@example.com info.cve set CVE-2014-7187 pkg:/firstname.lastname@example.org ... info.cve set CVE-2014-7187 pkg:/email@example.com
The following command displays the CVE ID, the package that contains the fix, and solaris-11-cpu package version:
$ pkg search -Ho name,value,pkg.shortfmri CVE-2014-7187: CVE-2014-7187 pkg://firstname.lastname@example.org,5.11-0.175.2.2.0.8.0 pkg:/email@example.com ... CVE-2014-7187 pkg://firstname.lastname@example.org,5.11-0.175.2.5.0.2.0 pkg:/email@example.com ... CVE-2014-7187 pkg://firstname.lastname@example.org,5.11-0.175.2.2.0.8.0 pkg:/email@example.com
The pkg contents -r command searches the repository, not the local system, for the packages that fix the bash Shellshock software bug.
$ pkg contents -Hro value -t set -a name=CVE-2014-7187 solaris-11-cpu pkg://firstname.lastname@example.org,5.11-0.175.2.2.0.8.0 pkg://email@example.com,5.11-0.175.2.3.0.4.0 pkg://firstname.lastname@example.org,5.11-0.175.2.5.0.2.0
Because SRUs and CPUs are cumulative, the fix is available after being installed once.Example 30 Showing When a CVE Fix Was First Available
This example shows that the fix for the bash Shellshock software bug was first available for this system in the email@example.com package and in every following SRU.
$ pkg search -po pkg.shortfmri CVE-2014-7187 PKG.SHORTFMRI pkg:/firstname.lastname@example.org pkg:/email@example.com pkg:/firstname.lastname@example.org ...Example 31 Listing the CVE IDs in a Critical Patch Update
This example shows how to display every fixed CVE in the latest CPU.
$ pkg contents -rHo value -a name=info.cve solaris-11-cpu@latest CVE-1999-0103 CVE-2002-2443 CVE-2003-0001 CVE-2004-0230 ... CVE-2015-5477 ...Example 32 Verifying That the Latest CPU Is Installed
To determine the status of the latest solaris-11-cpu package, use the pkg list command.
$ pkg list -af solaris-11-cpu@latest NAME (PUBLISHER) VERSION IFO support/critical-patch-update/solaris-11-cpu 2015.8-1 ---
Because the i flag is not in the I column, the latest CPU is not installed.Example 33 Verifying That a Fix for a CVE ID Is Installed
To verify that you installed a fix for a specific CVE ID, search your installed packages for the CVE ID. If it is not installed, no output displays. The pkg search -l command searches the local disk only.
# pkg search -l CVE-2014-7187 INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/email@example.com
For more information about options to the pkg command, see the pkg(1) man page.