Industry News

Oracle’s Solaris Gets 299 Security Fixes, Including One for NSA’s Solaris 10 Hijacking Tool

Described as a Critical Patch Update (CPU), Oracle has released a cumulative patch addressing 299 security issues in Solaris, including one in Oracle 10 to which the NSA allegedly had a hijacking tool.

The privilege escalation vulnerability believed to be exploited by the NSA tool targeted the Common Desktop Environment on Solaris 10. While Oracle’s Solaris 11 operating system was immune to it, unsupported versions of Solaris 7 to 9 may have been vulnerable on Sparc and x86. Other leaked tools are believed to only work for older unsupported versions of Solaris, while some had allegedly already been fixed by patches issued as early as January 2012.

“Oracle encourages all customers to update their systems frequently and fixes are cumulative – this is why any of the Solaris 10 patch distributions released since January 26, 2012, includes the fix,” said a spokesperson.

The patches address documented vulnerabilities in Fusion Middleware, PeopleSoft suite, Oracle Communications tools, Oracle Financial Services software, Java SE, Oracle Linux and MySQL, Oracle Database, retail tools, support tools and others.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” reads the advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

While it’s unclear if or how many of the patched 299 vulnerabilities have been actively exploited in-the-wild, Oracle strongly urges those running Solaris or any of their tools to deploy all – including recent – patches. The Critical Patch Update Schedule also calls for four dates for cumulative fixes, aiming for 18 July 2017, 17 October 2017, 16 January 2018 and 17 April 2018.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

Add Comment

Click here to post a comment