What is Solaris? Why should you use it?
Solaris is a Unix-based operating system developed by Sun Microsystems, which was later acquired by Oracle. Solaris OS is known for its scalability, so it can be used to handle heavy workloads efficiently and has an advanced security capability to automate self-healing (disaster recovery). They also come with high-core processors, which can handle multiple threads simultaneously and yet operate smoothly across databases, systems, and applications.
How does Oracle release security advisories for Solaris?
Oracle Solaris provides monthly security fixes known as Support Repository Updates (SRUs), which addresses any fixes or enhancements. It is safe to apply this fix, as it creates a backup of the boot environment, and then updates the running environment, which allows us to use the older environments when required. Fixes available in each SRU would contain all the fixes covered by its previous SRU. Ex: If SRU 12 is the newly released SRU, then it would contain all the fixes of SRU 11 and earlier.
Every quarter, these SRUs are combined into a Critical Patch Update (CPU SRU), which covers critical fixes including the CVE fixes.
The figure below shows two system upgrade strategies, where
GA = a release such as Oracle Solaris 11.2 or Oracle Solaris 11.3,
S = SRU, and
C = CPU SRU.
Figure 1: System Upgrade Strategies
To avoid the risk of successful attacks, Oracle recommends applying the patches without delay. It’s a good practice to update every time a new SRU is available or at least every quarter to the CPU SRU.
Where to find security fixes related to Solaris?
Security fixes released by Oracle for Solaris are available on a security-alert page, which contains advisory links with Critical Patch Update Advisories, Security Alerts, and Bulletins.
What do the security advisories contain?
Critical Patch Update Advisory is a collection of cumulative patches for multiple security vulnerabilities, Security Alert will address vulnerability fixes that are too critical to wait until the next Critical Patch Update and Solaris Third Party Bulletin announces patches for third-party software that is a part of Oracle Solaris distributions.
Where to look for information that is not available in security advisory links?
The details related to CVE fixes can be seen in the additional information section or the notes given at the bottom of each link. If multiple CVEs are affected for the same product then only one entry would be available in the table with a note number linked to it, while others are mentioned at the end of the respective link.
The CVE table released by Oracle for Solaris looks as shown in the image below.
Figure 2: CVE Table
The image below shows a notes section, which is usually found at the end of certain advisory links.
Figure 3: Notes Section
We can refer to the NVD link for the description of the CVEs and an updated version of its product can be known from the Solaris 11 Image Packaging System (IPS).