1. Oracle Solaris 11.4 Compliance Guide
  2. Administering Compliance to Critical Security Updates
  3. Administering CVE Updates in Oracle Solaris
  4. Managing CVE Updates From the Command Line

Managing CVE Updates From the Command Line

The examples in this section show how to use the command line to find CVE information.

Example 3-1 Several Ways of Listing the Packages That Contain Fixes to a CVE ID

When you know the CVE ID, you can use it to find the packages that contain the fix for it. The following searches find the fix for the bash Shellshock software bug.

  • The pkg search command searches all configured repositories and the local system for the CVE ID. The output lists which packages and versions contain the fix and which CPU delivers it. Note the use of the trailing colon (:) in the search to indicate a missing field. 

    $ pkg search CVE-2014-7187:
INDEX         ACTION VALUE                                                PACKAGE
CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1
CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-3
...
CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1
CVE-2014-7187 set    pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1

  • Without the trailing colon, the pkg search command lists all solaris-ll-cpu package versions, but does not list the bash package that contains`the fix. 

    $ pkg search CVE-2014-7187
  INDEX   ACTION VALUE          PACKAGE
info.cve  set    CVE-2014-7187  pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1
info.cve  set    CVE-2014-7187  pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1
...
info.cve  set    CVE-2014-7187  pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1

  • The following command displays the CVE ID, the package that contains the fix, and solaris-11-cpu package version: 

    $ pkg search -Ho name,value,pkg.shortfmri CVE-2014-7187:
CVE-2014-7187   pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0    pkg:/support/critical-patch-update/solaris-11-cpu@2015.8-1
...
CVE-2014-7187   pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0    pkg:/support/critical-patch-update/solaris-11-cpu@2015.7-1
...
CVE-2014-7187   pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0    pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1

  • The pkg contents -r command searches the repository, not the local system, for the packages that fix the bash Shellshock software bug. 

    $ pkg contents -Hro value -t set -a name=CVE-2014-7187 solaris-11-cpu
pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.2.0.8.0
pkg://solaris/shell/bash@4.1.11,5.11-0.175.2.3.0.4.0
pkg://solaris/shell/bash@4.1.17,5.11-0.175.2.5.0.2.0

Because SRUs and CPUs are cumulative, the fix is available after being installed once.

Example 3-2 Showing When a CVE Fix Was First Available

This example shows that the fix for the bash Shellshock software bug was first available for this system in the solaris-11-cpu@2014.4-1 package and in every following SRU. 

$ pkg search -po pkg.shortfmri CVE-2014-7187
PKG.SHORTFMRI
pkg:/support/critical-patch-update/solaris-11-cpu@2014.4-1
pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-1
pkg:/support/critical-patch-update/solaris-11-cpu@2015.1-2
...

Example 3-3 Listing the CVE IDs in a Critical Patch Update

This example shows how to display every fixed CVE in the latest CPU.

$ pkg contents -rHo value -a name=info.cve solaris-11-cpu@latest
CVE-1999-0103 
CVE-2002-2443 
CVE-2003-0001 
CVE-2004-0230
...
CVE-2015-5477
...

Example 3-4 Verifying That the Latest CPU Is Installed

To determine the status of the latest solaris-11-cpu package, use the pkg list command. 

$ pkg list -af solaris-11-cpu@latest
NAME (PUBLISHER)                                  VERSION                    IFO
support/critical-patch-update/solaris-11-cpu      2015.8-1                   ---

Because the i flag is not in the I column, the latest CPU is not installed.

Example 3-5 Verifying That a Fix for a CVE ID Is Installed

To verify that you installed a fix for a specific CVE ID, search your installed packages for the CVE ID. If it is not installed, no output displays. The pkg search -l command searches the local disk only. 

# pkg search -l CVE-2014-7187
INDEX      ACTION VALUE         PACKAGE
info.cve   set    CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11-cpu@2014.10-1

For more information about options to the pkg command, see the pkg(1) man page.