What is Solaris? Why should you use it?
Solaris is a Unix-based operating system developed by Sun Microsystems, which was later acquired by Oracle. Oracle Solaris OS is known for its scalability, so it can be used to handle heavy workloads efficiently and has an advanced security capability to automate self-healing (disaster recovery). They also come with high-core processors, which can handle multiple threads simultaneously and yet operate smoothly across databases, systems, and applications. However, they have to be updated to the latest versions every time a patch is found. A vulnerability management tool detects vulnerabilities.
How does Oracle release security advisories for Solaris?
Oracle Solaris OS provides monthly security fixes by auto patching known as Support Repository Updates (SRUs), which addresses any fixes or enhancements. It is safe to apply this fix, as it creates a backup of the boot environment, and then updates the running environment, which allows us to use the older environments when required. Fixes available in each SRU would contain all the fixes covered by its previous SRU. Ex: If SRU 12 is the newly released SRU, then it would contain all the fixes of SRU 11 and earlier.
Every quarter, these SRUs combine into a Critical Patch Update (CPU SRU), covering critical fixes including the CVE fixes. Deploying these patches will be easier with a patch management software.
The figure below shows two system upgrade strategies, where
GA = a release such as Oracle Solaris 11.2 or Oracle Solaris 11.3,
S = SRU, and
C = CPU SRU.
Figure 1: System Upgrade Strategies
To avoid the risk of successful attacks, Oracle recommends applying the patches without delay. It’s a good practice to update every time a new SRU is available or at least every quarter to the CPU SRU.
Where to find security fixes related to Solaris?
Security fixes released by Oracle for Solaris are available on a security-alert page, which contains advisory links with Critical Patch Update Advisories, Security Alerts, and Bulletins.
What do the security advisories contain?
Critical Patch Update Advisory is a collection of cumulative patches for multiple security vulnerabilities, Security Alert will address vulnerability fixes that are too critical to wait until the next Critical Patch Update and Solaris Third Party Bulletin announces patches for third-party software that is a part of Oracle Solaris distributions.
Where to look for information that is not available in security advisory links?
The details related to CVE fixes are in the additional information section or the notes at the bottom of each link. If multiple CVEs affects the same product, only one entry would be available in the table. With a note number linked, while mentioning others at the end of the respective link.
The CVE table released by Oracle for Solaris looks as shown in the image below.
Figure 2: CVE Table
The image below shows a notes section, which is at the end of certain advisory links.
Figure 3: Notes Section
We can refer to the NVD link for the description of the CVEs. An updated version of its product can know from the Solaris 11 Image Packaging System (IPS).