Systems that contain the most recent security fixes provide a more secure computing environment. Oracle Solaris provides online access to the Common Vulnerabilities and Exposures (CVE) list and other security fixes. The pkg command has options to search for CVE updates.
You can monitor the status of critical updates to Oracle Solaris packages by following the information at the Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin web site. You should apply critical patch updates without delay.
The Oracle Solaris Support package repository contains metadata for tracking security vulnerability fixes by the assigned CVE ID. Oracle Solaris creates a package of this metadata from the Oracle bug database. After installing the package, you can easily determine whether your system has all the known and required security vulnerability fixes. You do not need to derive this information from other sources. Using the Oracle bug database as your source is critically important because sometimes Oracle Solaris fixes a bug in an upstream Free and Open Source (FOSS) component by patching the code rather than by generating a new version of the component.
The metadata package from the Oracle bug database, pkg:/support/critical-patch-update/solaris-11-cpu, covers the entire dependency hierarchy. All packages that were changed for a particular CVE fix are dependencies of the solaris-11-cpu package. They are "optional" dependencies, therefore they are updated if they are already installed, but not installed if the software that is being fixed is not already installed.
The metadata package enables retrospective updates to the critical patch update (CPU) metadata where a shipped version already contains the fix for a given CVE ID. When Oracle Solaris publishes a new CPU, it also publishes a new version of the package to the Oracle Solaris support repository plus the new package versions that contain the fixes.
The version format for the CPU package is @YYYY.MM-VV where VV is usually a low number, as in the CPU package solaris-11-cpu@2014.10-1. This format enables Oracle Solaris to republish critical patch updates within the same month. Note that the day of the month (DD) is not part of the version format.
You can search the metadata by using either the Oracle Solaris Support package repository web site or the command-line interface. You can search for cases where a given CVE ID applies to multiple packages and also where a given package version contains fixes for multiple CVE IDs.
Your Oracle Solaris 11 systems do not have the solaris-11-cpu package installed by default, because this package is higher in the dependency hierarchy than the entire package. You must explicitly install the CPU package.
# pkg install solaris-11-cpu
After installation, the CPU package updates the system to the SRU version of the CPU. The updating includes all package updates between the SRU of the system and the SRU version of the CPU. For more information and examples, see Applying Support Updates in Adding and Updating Software in Oracle Solaris 11.3 and Critical Patch Update Packages in Adding and Updating Software in Oracle Solaris 11.3.
The examples in this section show how to use the command line to find CVE information.
Example 13 Several Ways of Listing the Packages That Contain Fixes to a CVE IDWhen you know the CVE ID, you can use it to find the packages that contain the fix for it. The following searches find the fix for the bash Shellshock software bug.
The pkg search command searches all configured repositories and the local system for the CVE ID. The output lists which packages and versions contain the fix and which CPU delivers it. Note the use of the trailing colon (:) in the search to indicate a missing field.
$ pkg search CVE-2014-7187: INDEX ACTION VALUE PACKAGE CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1 CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-3 ... CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1 CVE-2014-7187 set pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
Without the trailing colon, the pkg search command lists all solaris-ll-cpu package versions, but does not list the bash package that contains the fix.
$ pkg search CVE-2014-7187 INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1 info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1 ... info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
The following command displays the CVE ID, the package that contains the fix, and solaris-11-cpu package version:
$ pkg search -Ho name,value,pkg.shortfmri CVE-2014-7187: CVE-2014-7187 pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1 ... CVE-2014-7187 pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-1 ... CVE-2014-7187 pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
The pkg contents -r command searches the repository, not the local system, for the packages that fix the bash Shellshock software bug.
$ pkg contents -Hro value -t set -a name=CVE-2014-7187 solaris-11-cpu pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0 pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0
Because SRUs and CPUs are cumulative, the fix is available after being installed once.
Example 14 Showing When a CVE Fix Was First AvailableThis example shows that the fix for the bash Shellshock software bug was first available for this system in the solaris-11-cpu@2014.4-1 package and in every following SRU.
$ pkg search -po pkg.shortfmri CVE-2014-7187 PKG.SHORTFMRI pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1 pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-1 pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-2 ...Example 15 Listing the CVE IDs in a Critical Patch Update
This example shows how to display every fixed CVE in the latest CPU.
$ pkg contents -rHo value -a name=info.cve solaris-11-cpu@latest CVE-1999-0103 CVE-2002-2443 CVE-2003-0001 CVE-2004-0230 ... CVE-2015-5477 ...Example 16 Verifying That the Latest CPU Is Installed
To determine the status of the latest solaris-11-cpu package, use the pkg list command.
$ pkg list -af solaris-11-cpu@latest NAME (PUBLISHER) VERSION IFO support/critical-patch-update/solaris-11-cpu 2015.8-1 ---
Because the i flag is not in the I column, the latest CPU is not installed.
Example 17 Verifying That a Fix for a CVE ID Is InstalledTo verify that you installed a fix for a specific CVE ID, search your installed packages for the CVE ID. If it is not installed, no output displays. The pkg search -l command searches the local disk only.
# pkg search -l CVE-2014-7187 INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
For more information about options to the pkg command, see the pkg(1) man page.