Oracle Solaris Third Party Bulletin - July 2022
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 18 October 2022
- 17 January 2023
- 18 April 2023
- 18 July 2023
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2022-September-20 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 49 |
| 2022-August-16 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 48 |
| 2022-July-19 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 47 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 35 new security patches for the Oracle Solaris Operating System. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2022-09-20
| CVE# | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (seeRisk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2022-34265 | Oracle Solaris | Django | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | |
| CVE-2022-1587 | Oracle Solaris | PCRE | HTTP | Yes | 9.1 | Network | Low | None | None | Un changed | High | None | High | 11.4 | See Note 1 |
| CVE-2022-26691 | Oracle Solaris | Common Unix Printing System | None | No | 8.1 | Local | High | None | None | Changed | High | High | Low | 11.4 | |
| CVE-2022-32213 | Oracle Solaris | Node.js | HTTP | Yes | 8.1 | Network | High | None | None | Un changed | High | High | High | 11.4 | See Note 2 |
| CVE-2022-2319 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed | High | High | High | 11.4 | See Note 3 |
| CVE-2022-28739 | Oracle Solaris | Ruby | None | No | 6.2 | Local | Low | None | None | Un changed | None | High | None | 11.4 | |
| CVE-2022-30595 | Oracle Solaris | Python Imaging Library | None | No | 6.2 | Local | Low | None | None | Un changed | None | None | High | 11.4 | |
Revision 2: Published on 2022-08-16
| CVE# | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (seeRisk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2022-1292 | Oracle Solaris | OpenSSL | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4, 10 | |
| CVE-2022-34169 | Oracle Solaris | JDK 7 | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 4 |
| CVE-2022-34169 | Oracle Solaris | JDK 8 | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 5 |
| CVE-2022-0943 | Oracle Solaris | Vim | None | No | 7.8 | Local | Low | None | Required | Un changed | High | High | High | 11.4 | See Note 6 |
| CVE-2022-1927 | Oracle Solaris | Vim | None | No | 7.8 | Local | Low | None | Required | Un changed | High | High | High | 11.4 | See Note 7 |
| CVE-2021-4219 | Oracle Solaris | ImageMagick | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2022-0778 | Oracle Solaris | MySQL | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | See Note 8 |
| CVE-2022-1328 | Oracle Solaris | Mutt | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2022-1473 | Oracle Solaris | OpenSSL | TLS | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | See Note 9 |
| CVE-2022-30333 | Oracle Solaris | UnRAR | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed | None | High | None | 11.4 | |
| CVE-2022-27779 | Oracle Solaris | libcurl | HTTP | No | 6.8 | Network | Low | Low | Required | Changed | None | None | High | 11.4 | See Note 10 |
| CVE-2022-24765 | Oracle Solaris | Git | None | No | 6.7 | Local | High | None | None | Un changed | High | High | None | 11.4 | |
| CVE-2022-31813 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 6.5 | Network | High | None | None | Changed | Low | Low | Low | 11.4 | See Note 11 |
| CVE-2022-2200 | Oracle Solaris | Firefox | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | See Note 12 |
| CVE-2022-24303 | Oracle Solaris | Python Imaging Library | HTTP | Yes | 5.9 | Network | High | None | None | Un changed | None | High | None | 11.4 | |
| CVE-2022-1343 | Oracle Solaris | OpenSSL | TLS | Yes | 5.3 | Network | Low | None | None | Un changed | None | Low | None | 11.4 | |
| CVE-2018-1000007 | Oracle Solaris | libcurl | HTTP | Yes | 5 | Network | High | None | Required | Un changed | Low | Low | Low | 11.4 | See Note 13 |
| CVE-2022-24302 | Oracle Solaris | Paramiko | None | No | 5 | Local | Low | Low | Required | Un changed | High | None | None | 11.4 | |
Revision 1: Published on 2022-07-19
| CVE# | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (seeRisk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2021-21708 | Oracle Solaris | PHP | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | |
| CVE-2022-23806 | Oracle Solaris | GCC Go | HTTP | Yes | 9.1 | Network | Low | None | None | Un changed | None | High | High | 11.4 | See Note 14 |
| CVE-2022-25762 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 8.6 | Network | Low | None | None | Un changed | High | Low | Low | 11.4 | |
| CVE-2022-24801 | Oracle Solaris | Twisted | HTTP | Yes | 8.1 | Network | High | None | None | Un changed | High | High | High | 11.4 | |
| CVE-2022-23772 | Oracle Solaris | GCC Go | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | See Note 15 |
| CVE-2022-31736 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed | High | High | High | 11.4 | See Note 16 |
| CVE-2022-1834 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed | High | High | High | 11.4 | See Note 17 |
| CVE-2022-29824 | Oracle Solaris | libxml2 | HTTP | Yes | 7.4 | Network | High | None | None | Un changed | None | High | High | 11.4 | |
| CVE-2022-1271 | Oracle Solaris | Gzip | HTTP | No | 7.1 | Network | High | Low | Required | Un changed | High | High | High | 11.4 | |
| CVE-2022-1271 | Oracle Solaris | Gzip | Multiple | No | 7.1 | Network | High | Low | Required | Un changed | High | High | High | 11.4 | |
Notes:
1. This patch also addresses CVE-2022-1586.2. This patch also addresses CVE-2022-2097 CVE-2022-32212 CVE-2022-32214 CVE-2022-32215 CVE-2022-32222 CVE-2022-32223.
3. This patch also addresses CVE-2022-2320.
4. This patch also addresses CVE-2022-21540 CVE-2022-21541.
5. This patch also addresses CVE-2022-21540 CVE-2022-21541.
6. This patch also addresses CVE-2022-1154.
7. This patch also addresses CVE-2022-1160 CVE-2022-1381 CVE-2022-1420 CVE-2022-1616 CVE-2022-1619 CVE-2022-1620 CVE-2022-1621 CVE-2022-1629 CVE-2022-1674 CVE-2022-1733 CVE-2022-1735 CVE-2022-1769 CVE-2022-1771 CVE-2022-1785 CVE-2022-1796 CVE-2022-1851 CVE-2022-1886 CVE-2022-1898 CVE-2022-1942.
8. This patch also addresses CVE-2022-21417 CVE-2022-21427 CVE-2022-21444 CVE-2022-21451 CVE-2022-21454 CVE-2022-21460.
9. This patch also addresses CVE-2022-1434.
10. This patch also addresses CVE-2022-27778 CVE-2022-27780 CVE-2022-27781 CVE-2022-27782 CVE-2022-30115.
11. This patch also addresses CVE-2022-26377 CVE-2022-28330 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556.
12. This patch also addresses CVE-2022-31744 CVE-2022-34468 CVE-2022-34470 CVE-2022-34472 CVE-2022-34478 CVE-2022-34479 CVE-2022-34481 CVE-2022-34484.
13. This patch also addresses CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776.
14. This patch also addresses CVE-2021-29923 CVE-2022-23772 CVE-2022-23773.
15. This patch also addresses CVE-2022-23772 CVE-2022-23773 CVE-2022-24675 CVE-2022-28327.
16. This patch also addresses CVE-2022-31737 CVE-2022-31738 CVE-2022-31739 CVE-2022-31740 CVE-2022-31741 CVE-2022-31742 CVE-2022-31747.
17. This patch also addresses CVE-2022-31736 CVE-2022-31737 CVE-2022-31738 CVE-2022-31739 CVE-2022-31740 CVE-2022-31741 CVE-2022-31742 CVE-2022-31747.