Oracle Solaris Third Party Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Solaris Third Party Bulletin - July 2024

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

15 October 2024
21 January 2025
15 April 2025
15 July 2025

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

Date	Note
2024-September-24	Rev 3. Added CVEs fixed in Solaris 11.4 SRU 73
2024-August-20	Rev 2. Added CVEs fixed in Solaris 11.4 SRU 72
2024-July-16	Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 71

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 72 new security patches for the Oracle Solaris Operating System. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2024-09-24

CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-42005	Oracle Solaris	Django	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 1
CVE-2024-6602	Oracle Solaris	Thunderbird	Multiple	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 2
CVE-2024-6602	Oracle Solaris	Firefox	Multiple	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 3
CVE-2024-7519	Oracle Solaris	Thunderbird	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	11.4	See Note 4
CVE-2024-7519	Oracle Solaris	Firefox	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	11.4	See Note 5
CVE-2024-22018	Oracle Solaris	Node.js	HTTP	Yes	8.1	Network	High	None	None	Un changed	High	High	High	11.4	See Note 6
CVE-2024-34750	Oracle Solaris	Apache Tomcat	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-4076	Oracle Solaris	Bind	DNS	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 7
CVE-2024-40898	Oracle Solaris	Apache HTTP server	Multiple	Yes	7.5	Network	Low	None	None	Un changed	High	None	None	11.4, 10	See Note 8
CVE-2024-6197	Oracle Solaris	libcurl	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-21171	Oracle Solaris	MySQL	Multiple	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4	See Note 9
CVE-2024-5569	Oracle Solaris	Zipp	None	No	6.2	Local	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-21520	Oracle Solaris	Django	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.4
CVE-2024-24791	Oracle Solaris	Go Programming Language	HTTP	Yes	5.9	Network	High	None	None	Un changed	None	None	High	11.4
CVE-2024-36387	Oracle Solaris	Apache HTTP server	Multiple	Yes	5.9	Network	High	None	None	Un changed	None	High	None	11.4, 10	See Note 10
CVE-2024-8645	Oracle Solaris	Wireshark	None	No	5.5	Local	Low	None	Required	Un changed	None	None	High	11.4
CVE-2024-38875	Oracle Solaris	Django	HTTP	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4	See Note 11
CVE-2024-0397	Oracle Solaris	Python	TLS	Yes	4.8	Network	High	None	None	Un changed	None	Low	Low	11.4
CVE-2024-37891	Oracle Solaris	Urllib3	HTTP	No	4.4	Network	High	High	None	Un changed	High	None	None	11.4
CVE-2024-4032	Oracle Solaris	Python	None	No	3.3	Local	Low	Low	None	Un changed	None	None	Low	11.4

Revision 2: Published on 2024-08-20

CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-32744	Oracle Solaris	Samba	SMB	No	8.8	Network	Low	Low	None	Un changed	High	High	High	11.4	See Note 12
CVE-2024-25111	Oracle Solaris	Squid	HTTP	Yes	8.6	Network	Low	None	None	Changed	None	None	High	11.4
CVE-2024-22667	Oracle Solaris	VIM	None	No	8.4	Local	Low	None	None	Un changed	High	High	High	11.4
CVE-2024-32487	Oracle Solaris	less	None	No	8.2	Local	Low	Low	Required	Changed	High	High	High	11.4
CVE-2024-31080	Oracle Solaris	X.Org	None	No	7.8	Local	Low	Low	None	Un changed	High	High	High	11.4	See Note 13
CVE-2024-39331	Oracle Solaris	GNU Emacs	None	No	7.8	Local	Low	None	Required	Un changed	High	High	High	11.4
CVE-2024-4453	Oracle Solaris	GStreamer	None	No	7.8	Local	Low	None	Required	Un changed	High	High	High	11.4
CVE-2024-5197	Oracle Solaris	libvpx	None	No	7.8	Local	Low	Low	None	Un changed	High	High	High	11.4
CVE-2024-2004	Oracle Solaris	libcurl	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 14
CVE-2024-24787	Oracle Solaris	Go Programming Language	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 15
CVE-2024-25580	Oracle Solaris	Qt	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 16
CVE-2024-28757	Oracle Solaris	libexpat	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-3205	Oracle Solaris	libyaml	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2023-0361	Oracle Solaris	GnuTLS	TLS	Yes	7.4	Network	High	None	None	Un changed	High	High	None	11.4
CVE-2024-21147	Oracle Solaris	JDK 8	Multiple	Yes	7.4	Network	High	None	None	Un changed	High	High	None	11.4
CVE-2024-30202	Oracle Solaris	GNU Emacs	None	No	7.3	Local	Low	None	Required	Un changed	High	High	Low	11.4	See Note 17
CVE-2023-38497	Oracle Solaris	Rust	None	No	6.7	Local	High	Low	Required	Un changed	High	High	High	11.4
CVE-2021-4209	Oracle Solaris	GnuTLS	TLS	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4
CVE-2023-5388	Oracle Solaris	Netscape Security Services	HTTPS	No	6.5	Network	Low	Low	None	Un changed	High	None	None	11.4
CVE-2023-45918	Oracle Solaris	Ncurses	None	No	6.2	Local	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-24790	Oracle Solaris	Go Programming Language	None	No	6.2	Local	High	None	None	Un changed	Low	High	Low	11.4	See Note 18
CVE-2023-40030	Oracle Solaris	Rust	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.4
CVE-2023-5981	Oracle Solaris	GnuTLS	TLS	Yes	5.9	Network	High	None	None	Un changed	High	None	None	11.4
CVE-2024-0553	Oracle Solaris	GnuTLS	TLS	Yes	5.9	Network	High	None	None	Un changed	High	None	None	11.4	See Note 19
CVE-2024-0567	Oracle Solaris	GnuTLS	TLS	Yes	5.9	Network	High	None	None	Un changed	None	None	High	11.4
CVE-2024-26306	Oracle Solaris	iPerf	HTTPS	Yes	5.9	Network	High	None	None	Un changed	High	None	None	11.4
CVE-2024-35195	Oracle Solaris	Requests	None	No	5.6	Local	High	High	Required	Un changed	High	High	None	11.4
CVE-2024-4741	Oracle Solaris	OpenSSL	TLS	Yes	5.6	Network	High	None	None	Un changed	Low	Low	Low	11.4
CVE-2022-0529	Oracle Solaris	Unzip	None	No	5.5	Local	Low	None	Required	Un changed	None	None	High	11.4	See Note 20
CVE-2023-52722	Oracle Solaris	Ghostscript	None	No	5.5	Local	Low	None	Required	Un changed	High	None	None	11.4	See Note 21
CVE-2024-28182	Oracle Solaris	Nghttp2	HTTP/2	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4
CVE-2024-28834	Oracle Solaris	GnuTLS	TLS	No	5.3	Network	High	Low	None	Un changed	High	None	None	11.4	See Note 22
CVE-2024-4603	Oracle Solaris	OpenSSL	TLS	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4
CVE-2023-46045	Oracle Solaris	Graphviz	None	No	4.2	Local	Low	High	Required	Un changed	None	None	High	11.4
CVE-2019-13232	Oracle Solaris	Unzip	None	No	4	Local	Low	None	None	Un changed	None	None	Low	11.4
CVE-2024-2511	Oracle Solaris	OpenSSL	TLS	Yes	3.7	Network	High	None	None	Un changed	None	None	Low	11.4
CVE-2024-39894	Oracle Solaris	OpenSSH	SSH	Yes	3.1	Network	High	None	Required	Un changed	Low	None	None	11.4

Revision 1: Published on 2024-07-16

CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-37920	Oracle Solaris	Certifi	Multiple	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2024-4577	Oracle Solaris	PHP	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 23
CVE-2024-2756	Oracle Solaris	PHP	HTTP	Yes	8.3	Network	Low	None	Required	Un changed	High	High	Low	11.4	See Note 24
CVE-2024-27316	Oracle Solaris	Apache HTTP server	Multiple	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4, 10
CVE-2024-27351	Oracle Solaris	Django	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-2757	Oracle Solaris	PHP	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-32004	Oracle Solaris	Git	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 25
CVE-2024-37407	Oracle Solaris	Libarchive	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 26
CVE-2024-5688	Oracle Solaris	Thunderbird	Multiple	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 27
CVE-2024-5688	Oracle Solaris	Firefox	Multiple	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 28
CVE-2023-38709	Oracle Solaris	Apache HTTP server	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	11.4, 10	See Note 29
CVE-2024-1931	Oracle Solaris	Unbound	DNS	Yes	5.9	Network	High	None	None	Un changed	None	None	High	11.4
CVE-2024-0911	Oracle Solaris	GNU Indent	None	No	5.5	Local	Low	Low	None	Un changed	None	None	High	11.4
CVE-2024-34064	Oracle Solaris	Jinja	HTTP	Yes	5.4	Network	Low	None	Required	Un changed	Low	Low	None	11.4
CVE-2024-43168	Oracle Solaris	Unbound	None	No	4.8	Local	Low	Low	Required	Un changed	Low	Low	Low	11.4

Notes:

1. This patch also addresses CVE-2024-41989 CVE-2024-41990 CVE-2024-41991.

2. This patch also addresses CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-6606 CVE-2024-6607 CVE-2024-6608 CVE-2024-6609 CVE-2024-6610 CVE-2024-6611 CVE-2024-6612 CVE-2024-6613 CVE-2024-6614 CVE-2024-6615.

3. This patch also addresses CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-6605 CVE-2024-6606 CVE-2024-6607 CVE-2024-6608 CVE-2024-6609 CVE-2024-6610 CVE-2024-6611 CVE-2024-6612 CVE-2024-6613 CVE-2024-6614 CVE-2024-6615.

4. This patch also addresses CVE-2024-7518 CVE-2024-7520 CVE-2024-7521 CVE-2024-7522 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7528 CVE-2024-7529.

5. This patch also addresses CVE-2024-7518 CVE-2024-7520 CVE-2024-7521 CVE-2024-7522 CVE-2024-7524 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7528 CVE-2024-7529 CVE-2024-7531.

6. This patch also addresses CVE-2024-22020 CVE-2024-27980 CVE-2024-36137 CVE-2024-36138 CVE-2024-37372.

7. This patch also addresses CVE-2024-0760 CVE-2024-1737 CVE-2024-1975.

8. This patch also addresses CVE-2024-40725 CVE-2024-40898.

9. This patch also addresses CVE-2024-20996 CVE-2024-21125 CVE-2024-21127 CVE-2024-21129 CVE-2024-21130 CVE-2024-21134 CVE-2024-21142 CVE-2024-21162 CVE-2024-21163 CVE-2024-21165 CVE-2024-21173 CVE-2024-21177 CVE-2024-21179.

10. This patch also addresses CVE-2024-38472 CVE-2024-38473 CVE-2024-38474 CVE-2024-38475 CVE-2024-38477 CVE-2024-39573.

11. This patch also addresses CVE-2024-39329 CVE-2024-39330 CVE-2024-39614.

12. This patch also addresses CVE-2021-20251 CVE-2021-44141 CVE-2022-32742 CVE-2022-32745 CVE-2022-32746 CVE-2022-37966 CVE-2022-38023 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968 CVE-2023-4091.

13. This patch also addresses CVE-2024-31081 CVE-2024-31082 CVE-2024-31083.

14. This patch also addresses CVE-2024-2379 CVE-2024-2398 CVE-2024-2466.

15. This patch also addresses CVE-2024-24788.

16. This patch also addresses CVE-2023-51714 CVE-2024-30161.

17. This patch also addresses CVE-2024-30203 CVE-2024-30204 CVE-2024-30205.

18. This patch also addresses CVE-2024-24789.

19. This patch also addresses CVE-2023-5981.

20. This patch also addresses CVE-2022-0530.

21. This patch also addresses CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871.

22. This patch also addresses CVE-2024-28835.

23. This patch also addresses CVE-2024-1874 CVE-2024-2408 CVE-2024-4577 CVE-2024-5458 CVE-2024-5585.

24. This patch also addresses CVE-2022-31629 CVE-2024-3096.

25. This patch also addresses CVE-2024-32002 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465.

26. This patch also addresses CVE-2024-20697 CVE-2024-26256.

27. This patch also addresses CVE-2024-5691 CVE-2024-5692 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702.

28. This patch also addresses CVE-2024-5690 CVE-2024-5691 CVE-2024-5692 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702.

29. This patch also addresses CVE-2024-24795.