19 December 2020

Does your system contain the fixes for CVEs or are you vulnerable?

On Solaris 11 the software packages are stored in a IPS repository.
One of the packages is 'solaris-11-cpu'.

If a CVE is fixed Oracle adds the CVE info into this package as metadata.

That's great. You can easly search for a CVE to find out which
package and Solaris Update contains the fix.

Current sample for CVS-2020-14871 "component: Pluggable authentication module"

-bash-5.0$ pkg search :CVE-2020-14871:
INDEX          ACTION VALUE              PACKAGE
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.9-2
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.10-2
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.27.0.1.82.2 pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.27.0.1.82.2 pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0    pkg:/support/critical-patch-update/solaris-11-cpu@2020.6-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0    pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.8-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.9-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0    pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.10-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.7-2


This means you have the fix installed if you are on
Solaris 11.4  CPU 2020-09 or later which is S11.4 SRU 25

Users of our JomaSoft VDCF tool can list the systems centrally
where the required package is already installed

-bash-5.0$ vpkgadm -c show_server id=solaris/system/library@0.5.11-0.175.3.36.0.22.0

Package: system/library - Core system libraries
PKG-ID : solaris/system/library@0.5.11-0.175.3.36.0.22.0
Version: 0.5.11-0.175.3.36.0.22.0 is installed on:
   Name  Type     PatchLevel                GroupPkg       Comment
  g0062  Node     3.36.0.23.0 (U3.SRU36)    large-server   ZFS Cloning / Shared DS
  v0123  vServer  3.36.0.23.0 (U3.SRU36)    mini-server    ZFS Clones
  v0143  vServer  3.36.0.23.0 (U3.SRU36)    mini-server    Shared dataset

If the fix is not installed, it does not mean you are vulnerable in this special case,
because the bug has no impact on Solaris 11.1 or later.

This is documented here:
https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixSUNS

Anyway ... make sure you are up-to-date ...