There is a horrible SSH exploit going in the wild! Nearly all versions are effected, 9/10/11 – update soon or change your configurations – it hits SPARC and x86:
FIREEYE
Solaris Resource Controls – Oracle DB project
Last time I had to explain what this solaris project for oracle DBs means per line and why it is set. The better question was – how can you see the usage if you have to increase the limit – again, per entry… I tried to write it together and want to share my findings. If you have any more input I am open to share it.
BTW; never forget – you can always use “rctladm” to enable syslog for a lot of limits.
# rctladm -l process.max-cpu-time syslog=off [ lowerable no-deny cpu-time inf seconds ] process.max-file-size syslog=off [ lowerable deny file-size bytes ] process.max-data-size syslog=off [ lowerable deny no-signal bytes ] process.max-stack-size syslog=off [ lowerable deny no-signal bytes ] process.max-core-size syslog=off [ lowerable deny no-signal bytes ] process.max-file-descriptor syslog=off [ lowerable deny count ] process.max-address-space syslog=off [ lowerable deny no-signal bytes ] process.max-sem-nsems syslog=off [ deny count ] process.max-sem-ops syslog=off [ deny count ] process.max-msg-qbytes syslog=off [ deny bytes ] process.max-msg-messages syslog=off [ deny count ] process.max-port-events syslog=off [ deny count ] process.max-itimers syslog=off [ deny count ] process.max-sigqueue-size syslog=off [ lowerable deny count ] process.max-deferred-posts syslog=off [ lowerable deny count ] task.max-lwps syslog=off [ count ] task.max-processes syslog=off [ count ] task.max-cpu-time syslog=off [ no-deny cpu-time no-obs inf seconds ] project.cpu-shares syslog=n/a [ no-basic no-deny no-signal no-syslog count ] project.cpu-cap syslog=n/a [ no-basic deny no-signal inf no-syslog count ] project.max-lwps syslog=off [ no-basic count ] project.max-processes syslog=off [ no-basic count ] project.max-tasks syslog=off [ no-basic count ] project.max-sem-ids syslog=off [ no-basic deny count ] project.max-msg-ids syslog=off [ no-basic deny count ] project.max-shm-ids syslog=off [ no-basic deny count ] project.max-shm-memory syslog=off [ no-basic deny bytes ] project.max-mrp-ids syslog=off [ no-basic deny count ] project.max-port-ids syslog=warning [ no-basic deny count ] project.max-locked-memory syslog=off [ no-basic deny bytes ] project.max-adi-metadata-memory syslog=off [ no-basic deny bytes ] project.max-contracts syslog=off [ no-basic deny count ] zone.cpu-shares syslog=n/a [ no-basic no-deny no-signal no-syslog count ] zone.cpu-cap syslog=n/a [ no-basic deny no-signal inf no-syslog count ] zone.max-lwps syslog=off [ no-basic count ] zone.max-processes syslog=off [ no-basic count ] zone.max-msg-ids syslog=off [ no-basic deny count ] zone.max-sem-ids syslog=off [ no-basic deny count ] zone.max-shm-ids syslog=off [ no-basic deny count ] zone.max-shm-memory syslog=off [ no-basic deny bytes ] zone.max-mrp-ids syslog=off [ no-basic deny count ] zone.max-locked-memory syslog=off [ no-basic deny bytes ] zone.max-adi-metadata-memory syslog=off [ no-basic deny bytes ] zone.max-swap syslog=off [ no-basic deny bytes ] zone.max-lofi syslog=off [ no-basic deny count ] #
Solaris 11.3 Support End is near!
In May 2020 Oracle has announced the planned end of Solaris 11.3 Premier Support with October 2020 and thus postponed the end of July 2020 mentioned last year.
With the release of Solaris 11.4 in September 2018, the main stream of development was shifted to the latest version and many features and bug fixes were developed exclusively for the 11.4 release. At that time, Oracle also announced that many older systems would no longer be supported on Solaris 11.4. This affected the following systems in particular:
– Mx000 SPARC Enterprise Server with SPARC64 VI, VII or VII+ CPUs
– All systems with UltraSPARC T1, T2, T2+ and T3 CPUs
– Many old SunFire / Oracle x86 servers of the Vx0z, X2xx00, X4xxx0 or the X6xx0 & X8xx0 blade modules
– And all Netra servers of the above mentioned series (NEBS certification and ETSI compliance)
Many of these SPARC servers are still running in the customer environment and Oracle has listened to the community’s outcry at that time and provided so-called LSUs (Limited Support Updates) for Solaris 11.3. With the seventh LSU (11.3.6.20.0 from April 14, 2020) a last LSU could be released until October. After that, it seems that there will be no more fixes for 11.3 and only the continuous release model of Solaris 11.4 will be invested in. Although Oracle supports in the maintenance contract in the sense of infinite “Sustaining Support”, they will not offer stability or security patches for 11.3.
As a result, a mandatory upgrade to Solaris 11.4 will only work as described above if the servers use at least Oracle SPARC T4 or SPARC64 X CPUs.
Many customers are very reluctant to upgrade to 11.4 because Oracle has included many new features in the fourth version. But meanwhile I can absolutely recommend the upgrade without a guilty conscience. Many of my customers have been stable on 11.4 for many months and appreciate the features and the usual stability of their Solaris environments. No matter if we talk about single servers or SuperCluster implementations.
Happy Upgrading!!!
Oracle Support Document 2382427.1 (Oracle Solaris 11.3 Support) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=2382427.1
Oracle Support Document 2433413.1 (Oracle Solaris 11.3 Limited Support Updates (LSU) Index) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=2433413.1