Oracle Solaris Third Party Bulletin - January 2021
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 20 April 2021
- 20 July 2021
- 19 October 2021
- 18 January 2022
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2021-March-16 | Rev 4. Added CVEs fixed in Solaris 11.4 SRU 31 |
| 2021-February-16 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 30 |
| 2021-January-28 | Rev 2. Added CVE-2021-3156 |
| 2021-January-19 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.24 and Solaris 11.4 SRU 29 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 45 new security patches for the Oracle Solaris Operating System. 33 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 4: Published on 2021-03-16
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-16044 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2020-35654 | Oracle Solaris | Python Imaging Library (PIL) | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2021-23978 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2021-23978 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2020-25681 | Oracle Solaris | DNSmasq | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2020-8625 | Oracle Solaris | Bind | TSIG | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-27814 | Oracle Solaris | OpenJPEG | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2020-26154 | Oracle Solaris | libproxy | Multiple | No | 7.5 | Adjacent Network |
High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-36221 | Oracle Solaris | OpenLDAP server | LDAP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2021-21702 | Oracle Solaris | PHP | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 8 |
| CVE-2020-15685 | Oracle Solaris | Thunderbird | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | See Note 9 |
| CVE-2020-27783 | Oracle Solaris | Python-lxml | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2020-25659 | Oracle Solaris | Python cryptographic standard library | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | |
Revision 3: Published on 2021-02-16
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-15900 | Oracle Solaris | Ghostscript | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-13543 | Oracle Solaris | WebKitGTK | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 10 |
| CVE-2020-26971 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 11 |
| CVE-2020-26971 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-12695 | Oracle Solaris | Pidgin | Multiple | No | 8.2 | Adjacent Network |
Low | None | None | Changed | High | None | Low | 11.4 | |
| CVE-2019-20916 | Oracle Solaris | PIP | Multiple | No | 8 | Network | Low | Low | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-14360 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2020-11979 | Oracle Solaris | Apache Ant | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 13 |
| CVE-2020-1472 | Oracle Solaris | SMB Server | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-1967 | Oracle Solaris | OpenSSL | TLS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-25692 | Oracle Solaris | OpenLDAP server | LDAP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-26117 | Oracle Solaris | VNC | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2020-27619 | Oracle Solaris | Python | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-8037 | Oracle Solaris | TCPdump | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-8277 | Oracle Solaris | Node.js | DNS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-8252 | Oracle Solaris | Node.js | HTTP | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 14 |
| CVE-2020-24977 | Oracle Solaris | libxml2 | Multiple | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | None | Low | 11.4 | |
| CVE-2020-3299 | Oracle Solaris | Snort | HTTP | Yes | 5.8 | Network | Low | None | None | Changed | None | Low | None | 11.4 | |
| CVE-2018-21232 | Oracle Solaris | re2c | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2020-29385 | Oracle Solaris | GNOME | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-7317 | Oracle Solaris | LibPNG | Multiple | Yes | 5.3 | Network | High | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2020-26418 | Oracle Solaris | Wireshark | None | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 15 |
| CVE-2020-28896 | Oracle Solaris | Mutt | Multiple | Yes | 5.3 | Network | High | None | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2020-14323 | Oracle Solaris | Samba | None | No | 5 | Local | Low | Low | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2020-14318 | Oracle Solaris | Samba | Multiple | No | 4.3 | Network | Low | Low | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2019-9904 | Oracle Solaris | Graphviz | None | No | 2.9 | Local | High | None | None | Un changed |
None | None | Low | 11.4 | |
Revision 2: Published on 2021-01-28
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-3156 | Oracle Solaris | Sudo | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4, 11.3, 10 | |
Revision 1: Published on 2021-01-19
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-26970 | Oracle Solaris | Thunderbird | SMTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-17527 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2020-1971 | Oracle Solaris | OpenSSL | TLS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.3, 10 | |
| CVE-2020-13943 | Oracle Solaris | Apache Tomcat | HTTP | No | 4.3 | Network | Low | Low | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2020-1968 | Oracle Solaris | OpenSSL | TLS | Yes | 3.7 | Network | High | None | None | Un changed |
Low | None | None | 11.3, 10 | |
Notes:
1. This patch also addresses CVE-2020-26976 CVE-2021-23953 CVE-2021-23954 CVE-2021-23960 CVE-2021-23964.2. This patch also addresses CVE-2020-35653 CVE-2020-35655.
3. This patch also addresses CVE-2021-23968 CVE-2021-23969 CVE-2021-23973.
4. This patch also addresses CVE-2021-23968 CVE-2021-23969 CVE-2021-23973.
5. This patch also addresses CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687.
6. This patch also addresses CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27844 CVE-2020-27845.
7. This patch also addresses CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230.
8. This patch also addresses CVE-2020-7071.
9. This patch also addresses CVE-2020-16044 CVE-2020-26976 CVE-2021-23953 CVE-2021-23954 CVE-2021-23960 CVE-2021-23964.
10. This patch also addresses CVE-2020-13584 CVE-2020-9948 CVE-2020-9951 CVE-2020-9952 CVE-2020-9983.
11. This patch also addresses CVE-2020-16042 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35112 CVE-2020-35113.
12. This patch also addresses CVE-2020-25712.
13. This patch also addresses CVE-2020-1945.
14. This patch also addresses CVE-2020-8201 CVE-2020-8251 CVE-2020-8277.
15. This patch also addresses CVE-2020-26419 CVE-2020-26420 CVE-2020-26421.