Described as a Critical Patch Update (CPU), Oracle has released a cumulative patch addressing 299 security issues in Solaris, including one in Oracle 10 to which the NSA allegedly had a hijacking tool.
The privilege escalation vulnerability believed to be exploited by the NSA tool targeted the Common Desktop Environment on Solaris 10. While Oracle’s Solaris 11 operating system was immune to it, unsupported versions of Solaris 7 to 9 may have been vulnerable on Sparc and x86. Other leaked tools are believed to only work for older unsupported versions of Solaris, while some had allegedly already been fixed by patches issued as early as January 2012.
“Oracle encourages all customers to update their systems frequently and fixes are cumulative – this is why any of the Solaris 10 patch distributions released since January 26, 2012, includes the fix,” said a spokesperson.
The patches address documented vulnerabilities in Fusion Middleware, PeopleSoft suite, Oracle Communications tools, Oracle Financial Services software, Java SE, Oracle Linux and MySQL, Oracle Database, retail tools, support tools and others.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” reads the advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”
While it’s unclear if or how many of the patched 299 vulnerabilities have been actively exploited in-the-wild, Oracle strongly urges those running Solaris or any of their tools to deploy all – including recent – patches. The Critical Patch Update Schedule also calls for four dates for cumulative fixes, aiming for 18 July 2017, 17 October 2017, 16 January 2018 and 17 April 2018.