Oracle Solaris Third Party Bulletin - July 2023
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 17 October 2023
- 16 January 2024
- 16 April 2024
- 16 July 2024
References
- Oracle Critical Patch Updates and Security Alerts main page [Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [CPU FAQ ]
- Risk Matrix definitions [Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2023-September-19 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 61 |
| 2023-August-22 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 60 |
| 2023-July-18 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 59 and Solaris 11.3 ESU 36.32 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 57 new security patches for the Oracle Solaris Operating System. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2023-09-19
| CVE ID | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (seeRisk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2023-29402 | Oracle Solaris | Go Programming Language | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 1 |
| CVE-2023-4056 | Oracle Solaris | Firefox | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 2 |
| CVE-2023-4056 | Oracle Solaris | Thunderbird | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 3 |
| CVE-2023-37201 | Oracle Solaris | Firefox | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed | High | High | High | 11.4 | See Note 4 |
| CVE-2023-37201 | Oracle Solaris | Thunderbird | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed | High | High | High | 11.4 | See Note 5 |
| CVE-2023-3666 | Oracle Solaris | Ghostscript | None | No | 8.4 | Local | Low | None | None | Un changed | High | High | High | 11.4 | See Note 6 |
| CVE-2023-32005 | Oracle Solaris | Node.js | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | High | None | 11.4 | See Note 7 |
| CVE-2023-36053 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-38403 | Oracle Solaris | Tool For Measuring Internet Bandwidth | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-29406 | Oracle Solaris | Go Programming Language | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed | None | High | None | 11.4 | See Note 8 |
Revision 2: Published on 2023-08-22
| CVE ID | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (seeRisk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2022-32221 | Oracle Solaris | libcurl | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 9 |
| CVE-2022-48337 | Oracle Solaris | GNU Emacs | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 10 |
| CVE-2023-28879 | Oracle Solaris | Ghostscript | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | |
| CVE-2023-23914 | Oracle Solaris | libcurl | HTTP | Yes | 9.1 | Network | Low | None | None | Un changed | High | High | None | 11.4 | See Note 11 |
| CVE-2023-0049 | Oracle Solaris | VIM | None | No | 7.8 | Local | Low | None | Required | Un changed | High | High | High | 11.4 | See Note 12 |
| CVE-2023-1393 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed | High | High | High | 11.4 | |
| CVE-2023-29491 | Oracle Solaris | Ncurses | None | No | 7.8 | Local | Low | Low | None | Un changed | High | High | High | 11.4 | |
| CVE-2022-3924 | Oracle Solaris | Bind | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | See Note 13 |
| CVE-2022-4899 | Oracle Solaris | Zstd Port For Solaris | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-25193 | Oracle Solaris | Harfbuzz Text Shaping Engine | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-2650 | Oracle Solaris | OpenSSL | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-28450 | Oracle Solaris | DNSmasq | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-2879 | Oracle Solaris | Wireshark | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | See Note 14 |
| CVE-2023-30581 | Oracle Solaris | Node.js | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | High | None | 11.4 | See Note 15 |
| CVE-2023-3138 | Oracle Solaris | X.Org | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-34241 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 7.1 | Local | Low | Low | None | Un changed | High | None | High | 11.4 | |
| CVE-2021-46784 | Oracle Solaris | Squid | HTTP | No | 6.5 | Network | Low | Low | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-31147 | Oracle Solaris | C-Ares Asychronous Dns Library | HTTP | Yes | 6.5 | Network | Low | None | None | Un changed | Low | Low | None | 11.4 | See Note 16 |
| CVE-2023-34969 | Oracle Solaris | DBus | HTTP | No | 6.5 | Network | Low | Low | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-32681 | Oracle Solaris | Requests | HTTP | Yes | 6.1 | Network | High | None | Required | Changed | High | None | None | 11.4 | |
| CVE-2023-22043 | Oracle Solaris | JDK 8 | HTTP | Yes | 5.9 | Network | High | None | None | Un changed | None | High | None | 11.4 | |
| CVE-2017-5715 | Oracle Solaris | Kernel | None | No | 5.6 | Local | High | Low | None | Changed | High | None | None | 11.4 | |
| CVE-2018-3639 | Oracle Solaris | Kernel | None | No | 5.5 | Local | Low | Low | None | Un changed | High | None | None | 11.4 | |
| CVE-2021-44917 | Oracle Solaris | Gnuplot | None | No | 5.5 | Local | Low | None | Required | Un changed | None | None | High | 11.4 | |
| CVE-2023-1906 | Oracle Solaris | ImageMagick | None | No | 5.5 | Local | Low | None | Required | Un changed | None | None | High | 11.4 | |
| CVE-2023-29499 | Oracle Solaris | GLib | None | No | 5.5 | Local | Low | None | Required | Un changed | None | None | High | 11.4 | See Note 17 |
| CVE-2023-3195 | Oracle Solaris | ImageMagick | None | No | 5.5 | Local | Low | None | Required | Un changed | None | None | High | 11.4 | |
| CVE-2023-32762 | Oracle Solaris | Qt Toolkit | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed | None | Low | None | 11.4 | See Note 18 |
| CVE-2023-1981 | Oracle Solaris | OpenSSL | None | No | 0 | Local | High | High | None | Un changed | None | None | None | 11.4 | |
| CVE-2023-2004 | Oracle Solaris | FreeType | Multiple | Yes | 0 | Network | Low | None | None | Un changed | None | None | None | 11.4 | |
Revision 1: Published on 2023-07-18
| CVE ID | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (seeRisk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2022-37434 | Oracle Solaris | MySQL | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 19 |
| CVE-2023-34416 | Oracle Solaris | Firefox | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 20 |
| CVE-2023-34416 | Oracle Solaris | Thunderbird | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed | High | High | High | 11.4 | See Note 21 |
| CVE-2021-3575 | Oracle Solaris | OpenJPEG | None | No | 7.8 | Local | Low | None | Required | Un changed | High | High | High | 11.4 | |
| CVE-2023-29007 | Oracle Solaris | Git | None | No | 7.8 | Local | Low | None | Required | Un changed | High | High | High | 11.4 | See Note 22 |
| CVE-2022-41716 | Oracle Solaris | Go | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | High | None | 11.4 | See Note 23 |
| CVE-2023-1999 | Oracle Solaris | libwebp | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed | High | High | High | 11.4 | |
| CVE-2023-24998 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | See Note 24 |
| CVE-2023-26767 | Oracle Solaris | Liblouis | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | See Note 25 |
| CVE-2023-30608 | Oracle Solaris | SQL Parser | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed | None | None | High | 11.4 | |
| CVE-2023-24539 | Oracle Solaris | Go | HTTP | Yes | 7.3 | Network | Low | None | None | Un changed | Low | Low | Low | 11.4 | See Note 26 |
| CVE-2023-21980 | Oracle Solaris | MySQL | HTTP | No | 7.1 | Network | High | Low | Required | Un changed | High | High | High | 11.4 | See Note 27 |
| CVE-2023-28484 | Oracle Solaris | libxml2 | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed | None | None | High | 11.4 | See Note 28 |
| CVE-2022-31783 | Oracle Solaris | Liblouis | None | No | 5.5 | Local | Low | None | Required | Un changed | None | None | High | 11.4 | |
| CVE-2022-37290 | Oracle Solaris | Nautilus | None | No | 5.5 | Local | Low | Low | None | Un changed | None | None | High | 11.4 | See Note 29 |
| CVE-2023-2731 | Oracle Solaris | LibTIFF | None | No | 5.5 | Local | Low | None | Required | Un changed | None | None | High | 11.4 | See Note 30 |
| CVE-2023-32324 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 5.5 | Local | Low | None | Required | Un changed | None | None | High | 11.4 | |
Notes:
1. This patch also addresses CVE-2023-29403 CVE-2023-29404 CVE-2023-29405.2. This patch also addresses CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4054 CVE-2023-4055.
3. This patch also addresses CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4054 CVE-2023-4055.
4. This patch also addresses CVE-2023-37202 CVE-2023-37207 CVE-2023-37208 CVE-2023-37211.
5. This patch also addresses CVE-2023-37202 CVE-2023-37207 CVE-2023-37208 CVE-2023-37211.
6. This patch also addresses CVE-2023-36664.
7. This patch also addresses CVE-2023-32002 CVE-2023-32003 CVE-2023-32004 CVE-2023-32006 CVE-2023-32558 CVE-2023-32559.
8. This patch also addresses CVE-2023-29409.
9. This patch also addresses CVE-2023-28319 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322.
10. This patch also addresses CVE-2022-48338 CVE-2022-48339 CVE-2023-27985 CVE-2023-27986.
11. This patch also addresses CVE-2022-32206 CVE-2023-23915 CVE-2023-23916.
12. This patch also addresses CVE-2023-0051 CVE-2023-0054 CVE-2023-0288 CVE-2023-0512 CVE-2023-1127 CVE-2023-1170 CVE-2023-1175.
13. This patch also addresses CVE-2023-2828 CVE-2023-2911.
14. This patch also addresses CVE-2023-0666 CVE-2023-0668 CVE-2023-2854 CVE-2023-2855 CVE-2023-2857 CVE-2023-2858.
15. This patch also addresses CVE-2023-30582 CVE-2023-30583 CVE-2023-30584 CVE-2023-30585 CVE-2023-30586 CVE-2023-30587 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590.
16. This patch also addresses CVE-2023-31124 CVE-2023-31130 CVE-2023-32067.
17. This patch also addresses CVE-2023-32611 CVE-2023-32636 CVE-2023-32643 CVE-2023-32665.
18. This patch also addresses CVE-2023-32573 CVE-2023-32763.
19. This patch also addresses CVE-2022-43551 CVE-2023-0215 CVE-2023-21912 CVE-2023-21980.
20. This patch also addresses CVE-2023-34414.
21. This patch also addresses CVE-2023-34414.
22. This patch also addresses CVE-2023-25652 CVE-2023-25815.
23. This patch also addresses CVE-2022-41717 CVE-2022-41720.
24. This patch also addresses CVE-2023-28709 CVE-2023-34981.
25. This patch also addresses CVE-2023-26768 CVE-2023-26769.
26. This patch also addresses CVE-2023-24540 CVE-2023-29400.
27. This patch also addresses CVE-2023-21911 CVE-2023-21919 CVE-2023-21920 CVE-2023-21929 CVE-2023-21933 CVE-2023-21935 CVE-2023-21940 CVE-2023-21945 CVE-2023-21946 CVE-2023-21947 CVE-2023-21953 CVE-2023-21955 CVE-2023-21962 CVE-2023-21966 CVE-2023-21972 CVE-2023-21976 CVE-2023-21977 CVE-2023-21982.
28. This patch also addresses CVE-2023-29469.
29. This patch also addresses CVE-2022-37290.
30. This patch also addresses CVE-2023-30086 CVE-2023-30774 CVE-2023-30775.