Oracle Solaris Third Party Bulletin - January 2020
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 14 April 2020
- 14 July 2020
- 20 October 2020
- 19 January 2021
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2020-March-16 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 19 |
| 2020-February-18 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 18 |
| 2020-January-14 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 17 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 33 new security patches for the Oracle Solaris Operating System. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2020-03-16
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-5313 | Oracle Solaris | Pillow | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2019-1351 | Oracle Solaris | Git | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2019-11044 | Oracle Solaris | PHP | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 3 |
| CVE-2019-16201 | Oracle Solaris | Ruby | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 4 |
| CVE-2019-19269 | Oracle Solaris | ProFTPD | FTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 5 |
| CVE-2020-6800 | Oracle Solaris | Firefox | None | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2020-6800 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2019-12387 | Oracle Solaris | Twisted | Multiple | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 8 |
| CVE-2019-16056 | Oracle Solaris | Python | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 9 |
| CVE-2019-18874 | Oracle Solaris | Python Process And System Utilities | None | No | 7 | Local | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2019-16865 | Oracle Solaris | Pillow | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-19221 | Oracle Solaris | Libarchive | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2018-19844 | Oracle Solaris | Django | Multiple | No | 4.8 | Network | Low | High | Required | Changed | Low | Low | None | 11.4 | See Note 10 |
| CVE-2019-16935 | Oracle Solaris | Python 3.5 | Multiple | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 11.4 | |
| CVE-2019-16935 | Oracle Solaris | Python 3.7 | Multiple | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 11.4 | |
| CVE-2019-16935 | Oracle Solaris | Python 3.4 | Multiple | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 11.4 | |
Revision 2: Published on 2020-02-18
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-17017 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 11 |
| CVE-2019-17026 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2019-16775 | Oracle Solaris | Node.js | Multiple | No | 8.1 | Network | Low | Low | None | Un changed |
High | High | None | 11.4 | See Note 12 |
| CVE-2019-17017 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2020-7044 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2019-12418 | Oracle Solaris | Apache Tomcat | None | No | 7.4 | Local | High | None | None | Un changed |
High | High | High | 11.4 | See Note 14 |
| CVE-2019-9072 | Oracle Solaris | GNU Binary Utilities | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 15 |
| CVE-2019-16168 | Oracle Solaris | SQLite3 | Multiple | Yes | 5.3 | Network | High | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2018-1122 | Oracle Solaris | Watch | None | No | 4.8 | Local | Low | Low | Required | Un changed |
Low | Low | Low | 11.4 | See Note 16 |
Revision 1: Published on 2020-01-14
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-19012 | Oracle Solaris | Oniguruma | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 17 |
| CVE-2019-17012 | Oracle Solaris | Firefox | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 18 |
| CVE-2019-17012 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 19 |
| CVE-2019-5443 | Oracle Solaris | MySQL | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 20 |
| CVE-2019-13057 | Oracle Solaris | OpenLDAP server | LDAP | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 21 |
| CVE-2019-2911 | Oracle Solaris | MySQL | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 22 |
| CVE-2018-15861 | Oracle Solaris | xkbcommon | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4 | See Note 23 |
| CVE-2019-19553 | Oracle Solaris | Wireshark | None | No | 2.9 | Local | High | None | None | Un changed |
None | Low | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312.2. This patch also addresses CVE-2019-1348 CVE-2019-1349 CVE-2019-1350 CVE-2019-1352 CVE-2019-1353 CVE-2019-1354 CVE-2019-1387 CVE-2019-19604.
3. This patch also addresses CVE-2019-11044 CVE-2019-11045 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050 CVE-2020-7059 CVE-2020-7060.
4. This patch also addresses CVE-2019-15845 CVE-2019-16254 CVE-2019-16255.
5. This patch also addresses CVE-2019-19270.
6. This patch also addresses CVE-2020-6796 CVE-2020-6797 CVE-2020-6798 CVE-2020-6800.
7. This patch also addresses CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795 CVE-2020-6798 CVE-2020-6800.
8. This patch also addresses CVE-2019-12855.
9. This patch also addresses CVE-2019-11340 CVE-2019-16056.
10. This patch also addresses CVE-2019-19844.
11. This patch also addresses CVE-2019-17015 CVE-2019-17016 CVE-2019-17021 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026.
12. This patch also addresses CVE-2019-16776 CVE-2019-16777.
13. This patch also addresses CVE-2019-17015 CVE-2019-17016 CVE-2019-17021 CVE-2019-17022 CVE-2019-17024.
14. This patch also addresses CVE-2019-17563.
15. This patch also addresses CVE-2019-17450 CVE-2019-17451 CVE-2019-9073 CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077.
16. This patch also addresses CVE-2018-1124 CVE-2018-1126.
17. This patch also addresses CVE-2019-19012 CVE-2019-19204 CVE-2019-19246.
18. This patch also addresses CVE-2019-11745 CVE-2019-13722 CVE-2019-17005 CVE-2019-17008 CVE-2019-17009 CVE-2019-17010 CVE-2019-17011.
19. This patch also addresses CVE-2019-11745 CVE-2019-13722 CVE-2019-17005 CVE-2019-17008 CVE-2019-17009 CVE-2019-17010 CVE-2019-17011.
20. This patch also addresses CVE-2019-2910 CVE-2019-2911 CVE-2019-2914 CVE-2019-2922 CVE-2019-2923 CVE-2019-2924 CVE-2019-2938 CVE-2019-2946 CVE-2019-2960 CVE-2019-2974 CVE-2019-2993.
21. This patch also addresses CVE-2019-13565.
22. This patch also addresses CVE-2019-2910 CVE-2019-2922 CVE-2019-2923 CVE-2019-2924 CVE-2019-2974.
23. This patch also addresses CVE-2018-15853 CVE-2018-15854 CVE-2018-15855 CVE-2018-15856 CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15862 CVE-2018-15863 CVE-2018-15864.