Oracle Solaris Third Party Bulletin - April 2021
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 20 July 2021
- 19 October 2021
- 18 January 2022
- 19 April 2022
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2021-June-15 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 34. |
| 2021-May-18 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 33. |
| 2021-April-20 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 32. Solaris 11.3 ESU 36.25 was released as well. |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 58 new security patches for the Oracle Solaris Operating System. 43 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2021-06-15
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-1871 | Oracle Solaris | WebKitGTK | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2021-25216 | Oracle Solaris | Bind | DNS | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4, 10 | See Note 2 |
| CVE-2021-23994 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2021-31542 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-29921 | Oracle Solaris | Python | HTTP | Yes | 7.4 | Network | High | None | None | Un changed |
None | High | High | 11.4 | |
| CVE-2021-22207 | Oracle Solaris | Wireshark | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-20227 | Oracle Solaris | SQLite3 | None | No | 6.1 | Local | Low | Low | Required | Un changed |
Low | Low | High | 11.4 | |
| CVE-2021-28658 | Oracle Solaris | Django | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2021-23991 | Oracle Solaris | Thunderbird | Multiple | Yes | 4.3 | Network | Low | None | Required | Un changed |
None | None | Low | 11.4 | See Note 4 |
Revision 2: Published on 2021-05-18
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-14343 | Oracle Solaris | PyYAML | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2020-36242 | Oracle Solaris | Python cryptographic standard library | Multiple | Yes | 9.1 | Network | Low | None | None | Un changed |
High | None | High | 11.4 | |
| CVE-2021-1870 | Oracle Solaris | WebKitGTK | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2021-25289 | Oracle Solaris | Python Imaging Library (PIL) | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2021-26937 | Oracle Solaris | GNU Screen | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-26937 | Oracle Solaris | XTerm | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2020-35492 | Oracle Solaris | Cairo Graphics Library | None | No | 8.6 | Local | Low | None | Required | Changed | High | High | High | 11.4 | |
| CVE-2020-14409 | Oracle Solaris | LibSDL | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 9 |
| CVE-2020-14150 | Oracle Solaris | GNU Bison | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-17525 | Oracle Solaris | Apache Subversion | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-21300 | Oracle Solaris | Git | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-23840 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4, 10 | See Note 10 |
| CVE-2021-23840 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 11 |
| CVE-2021-23840 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2007-1562 | Oracle Solaris | libcurl | Multiple | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 12 |
| CVE-2021-28041 | Oracle Solaris | OpenSSH | Multiple | No | 7.1 | Network | High | Low | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-28153 | Oracle Solaris | GLib | None | No | 7.1 | Local | Low | None | Required | Un changed |
None | High | High | 11.4 | |
| CVE-2020-35523 | Oracle Solaris | LibTIFF | None | No | 7 | Local | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2019-9792 | Oracle Solaris | SpiderMonkey | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2021-3181 | Oracle Solaris | Mutt | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2021-2161 | Oracle Solaris | JDK 7 | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | See Note 15 |
| CVE-2021-2161 | Oracle Solaris | JDK 8 | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | See Note 16 |
| CVE-2020-36241 | Oracle Solaris | GNOME | Multiple | No | 5.5 | Local | Low | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-20176 | Oracle Solaris | ImageMagick | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 17 |
| CVE-2020-28493 | Oracle Solaris | Jinja2 | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2020-35521 | Oracle Solaris | LibTIFF | None | No | 4.7 | Local | High | None | Required | Un changed |
None | None | High | 11.4 | See Note 18 |
| CVE-2020-36241 | Oracle Solaris | GNOME | Multiple | No | 3.9 | Local | Low | Low | Required | Un changed |
None | Low | Low | 11.4 | See Note 19 |
| CVE-2020-8231 | Oracle Solaris | libcurl | Multiple | Yes | 3.1 | Network | High | None | Required | Un changed |
Low | None | None | 11.4 | |
Revision 1: Published on 2021-04-20
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-9791 | Oracle Solaris | SpiderMonkey | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-3177 | Oracle Solaris | Python | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 20 |
| CVE-2020-13558 | Oracle Solaris | WebKitGTK | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-28948 | Oracle Solaris | PEAR | Multiple | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 21 |
| CVE-2020-35457 | Oracle Solaris | GLib | Multiple | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-20215 | Oracle Solaris | Privoxy | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 22 |
| CVE-2020-8265 | Oracle Solaris | Node.js | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 23 |
| CVE-2021-22173 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 24 |
| CVE-2021-27218 | Oracle Solaris | GLib | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 25 |
| CVE-2018-7160 | Oracle Solaris | Node.js | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 26 |
| CVE-2021-27212 | Oracle Solaris | OpenLDAP | LDAP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-20272 | Oracle Solaris | Privoxy | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 27 |
| CVE-2021-23987 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 28 |
| CVE-2021-23987 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 29 |
| CVE-2021-25122 | Oracle Solaris | Apache Tomcat | None | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | See Note 30 |
| CVE-2021-22191 | Oracle Solaris | Wireshark | Multiple | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2021-2011 | Oracle Solaris | MySQL | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | See Note 31 |
| CVE-2021-23336 | Oracle Solaris | Django | HTTP | Yes | 5.9 | Network | High | None | Required | Un changed |
None | Low | High | 11.4 | |
| CVE-2021-23336 | Oracle Solaris | Python | HTTP | Yes | 5.9 | Network | High | None | Required | Un changed |
None | Low | High | 11.4 | |
| CVE-2021-3281 | Oracle Solaris | Django | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | Low | None | 11.4 | |
| CVE-2021-2001 | Oracle Solaris | MySQL | Multiple | No | 4.9 | Network | Low | High | None | Un changed |
None | None | High | 11.4 | See Note 32 |
Notes:
1. This patch also addresses CVE-2021-1788 CVE-2021-1844.2. This patch also addresses CVE-2021-25214 CVE-2021-25215.
3. This patch also addresses CVE-2021-23961 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946.
4. This patch also addresses CVE-2021-23961 CVE-2021-23992 CVE-2021-23993 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVE-2021-29948 CVE-2021-29949.
5. This patch also addresses CVE-2020-1747.
6. This patch also addresses CVE-2020-27918 CVE-2020-29623 CVE-2020-9947 CVE-2021-1765 CVE-2021-1789 CVE-2021-1799 CVE-2021-1801.
7. This patch also addresses CVE-2020-35654 CVE-2021-25290 CVE-2021-25291 CVE-2021-25292 CVE-2021-25293 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923.
8. This patch also addresses CVE-2021-27135.
9. This patch also addresses CVE-2020-14410.
10. This patch also addresses CVE-2021-23839 CVE-2021-23841.
11. This patch also addresses CVE-2021-23839 CVE-2021-23841.
12. This patch also addresses CVE-2020-8284 CVE-2020-8285 CVE-2020-8286.
13. This patch also addresses CVE-2020-35524.
14. This patch also addresses CVE-2019-11750.
15. This patch also addresses CVE-2021-2163.
16. This patch also addresses CVE-2021-2163.
17. This patch also addresses CVE-2021-20241 CVE-2021-20245 CVE-2021-20246.
18. This patch also addresses CVE-2020-35522.
19. This patch also addresses CVE-2021-28650.
20. This patch also addresses CVE-2021-23336.
21. This patch also addresses CVE-2020-28949.
22. This patch also addresses CVE-2020-35502 CVE-2021-20210 CVE-2021-20211 CVE-2021-20212 CVE-2021-20213 CVE-2021-20214 CVE-2021-20215.
23. This patch also addresses CVE-2020-1971 CVE-2020-8287.
24. This patch also addresses CVE-2020-26422 CVE-2021-22174.
25. This patch also addresses CVE-2021-27219.
26. This patch also addresses CVE-2021-22883 CVE-2021-22884 CVE-2021-23840.
27. This patch also addresses CVE-2021-20273 CVE-2021-20274 CVE-2021-20275 CVE-2021-20276.
28. This patch also addresses CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-29955.
29. This patch also addresses CVE-2021-23981 CVE-2021-23982 CVE-2021-23984.
30. This patch also addresses CVE-2020-9484 CVE-2021-25329.
31. This patch also addresses CVE-2021-2001 CVE-2021-2010 CVE-2021-2014 CVE-2021-2022 CVE-2021-2032 CVE-2021-2060.
32. This patch also addresses CVE-2021-2010 CVE-2021-2022 CVE-2021-2060.