Oracle Solaris Third Party Bulletin - October 2021
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 18 January 2022
- 19 April 2022
- 19 July 2022
- 18 October 2022
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2021-December-10 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 40 |
| 2021-November-16 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 39 |
| 2021-October-19 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 38 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 78 new security patches for the Oracle Solaris Operating System. 57 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2021-12-10
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-38503 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2021-38503 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2021-41617 | Oracle Solaris | OpenSSH | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-42097 | Oracle Solaris | Mailman | Multiple | No | 8 | Network | Low | Low | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2021-42771 | Oracle Solaris | I18n Utilities For Python | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-38496 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2021-42340 | Oracle Solaris | Apache Tomcat | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-21703 | Oracle Solaris | PHP | None | No | 6.4 | Local | High | High | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-13038 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2018-14339 | Oracle Solaris | Wireshark | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | See Note 5 |
| CVE-2021-25219 | Oracle Solaris | Bind | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4, 10 | |
Revision 2: Published on 2021-11-16
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-26950 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2021-1817 | Oracle Solaris | WebKitGTK | None | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2021-30858 | Oracle Solaris | WebKitGTK | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-3518 | Oracle Solaris | libxml2 | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2020-25097 | Oracle Solaris | Squid | Multiple | Yes | 8.6 | Network | Low | None | None | Changed | High | None | None | 11.4 | |
| CVE-2021-3517 | Oracle Solaris | libxml2 | Multiple | Yes | 8.6 | Network | Low | None | None | Un changed |
Low | Low | High | 11.4 | |
| CVE-2021-3517 | Oracle Solaris | JDK 8 | Multiple | Yes | 8.6 | Network | Low | None | None | Un changed |
Low | Low | High | 11.4 | See Note 9 |
| CVE-2021-22901 | Oracle Solaris | libcurl | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 10 |
| CVE-2021-37701 | Oracle Solaris | Node.js | Multiple | Yes | 8.1 | Network | Low | None | Required | Un changed |
None | High | High | 11.4 | See Note 11 |
| CVE-2018-19490 | Oracle Solaris | Gnuplot | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2021-3497 | Oracle Solaris | GStreamer | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2021-3516 | Oracle Solaris | libxml2 | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-36318 | Oracle Solaris | Rust | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2021-22117 | Oracle Solaris | RabbitMQ | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 15 |
| CVE-2021-22959 | Oracle Solaris | Node.js | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 16 |
| CVE-2021-23437 | Oracle Solaris | Python Imaging Library (PIL) | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-3530 | Oracle Solaris | GNU binary utilities | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-3580 | Oracle Solaris | Nettle | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-36690 | Oracle Solaris | SQLite3 | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-28651 | Oracle Solaris | Squid | Multiple | Yes | 7.4 | Network | Low | None | Required | Changed | None | None | High | 11.4 | See Note 17 |
| CVE-2021-35940 | Oracle Solaris | Apache Portable Runtime | Multiple | No | 7.1 | Local | Low | Low | None | Un changed |
High | None | High | 11.4 | See Note 18 |
| CVE-2021-20254 | Oracle Solaris | Samba | Multiple | No | 6.8 | Network | High | Low | None | Un changed |
High | High | None | 11.4 | |
| CVE-2021-28652 | Oracle Solaris | Squid | Multiple | No | 6.8 | Network | Low | High | None | Changed | None | None | High | 11.4 | |
| CVE-2020-7942 | Oracle Solaris | Puppet | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-22922 | Oracle Solaris | libcurl | null | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | High | None | 11.4 | See Note 19 |
| CVE-2021-28662 | Oracle Solaris | Squid | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2021-28662 | Oracle Solaris | Squid | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 20 |
| CVE-2021-30640 | Oracle Solaris | Apache Tomcat | Multiple | Yes | 6.5 | Network | High | None | None | Un changed |
Low | High | None | 11.4, 10 | See Note 21 |
| CVE-2021-31807 | Oracle Solaris | Squid | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-33620 | Oracle Solaris | Squid | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-33620 | Oracle Solaris | Squid | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-3541 | Oracle Solaris | libxml2 | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2008-2711 | Oracle Solaris | Fetchmail | HTTP | No | 6.1 | Local | Low | Low | None | Un changed |
Low | None | High | 11.4 | See Note 22 |
| CVE-2021-22945 | Oracle Solaris | libcurl | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | See Note 23 |
| CVE-2021-3537 | Oracle Solaris | libxml2 | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-35550 | Oracle Solaris | JDK 7 | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | See Note 24 |
| CVE-2021-40528 | Oracle Solaris | Libgcrypt | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-35517 | Oracle Solaris | Apache Ant | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 25 |
| CVE-2021-28116 | Oracle Solaris | Squid | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2021-32719 | Oracle Solaris | RabbitMQ | Multiple | No | 4.8 | Network | Low | High | Required | Changed | Low | Low | None | 11.4 | |
Revision 1: Published on 2021-10-19
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-3781 | Oracle Solaris | Ghostscript | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-3246 | Oracle Solaris | Libsndfile | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-29970 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 26 |
| CVE-2021-29970 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 27 |
| CVE-2019-17543 | Oracle Solaris | MySQL | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 28 |
| CVE-2021-32803 | Oracle Solaris | Node.js | Multiple | Yes | 8.1 | Network | Low | None | Required | Un changed |
None | High | High | 11.4 | |
| CVE-2021-32803 | Oracle Solaris | Node.js | Multiple | Yes | 8.1 | Network | Low | None | Required | Un changed |
None | High | High | 11.4 | See Note 29 |
| CVE-2021-3711 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-37701 | Oracle Solaris | Node.js | Multiple | Yes | 8.1 | Network | Low | None | Required | Un changed |
None | High | High | 11.4 | See Note 30 |
| CVE-2021-42013 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 31 |
| CVE-2021-22921 | Oracle Solaris | Node.js | Multiple | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 32 |
| CVE-2021-36770 | Oracle Solaris | Perl | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-10931 | Oracle Solaris | Memcached | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-22930 | Oracle Solaris | Node.js | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-22235 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-36222 | Oracle Solaris | Kerberos | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2016-20011 | Oracle Solaris | Grilo | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 33 |
| CVE-2021-40145 | Oracle Solaris | GD2 Graphics Draw Library | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-38492 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 34 |
| CVE-2021-38492 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 35 |
| CVE-2021-39275 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 36 |
| CVE-2021-41524 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-42013 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 37 |
| CVE-2021-22930 | Oracle Solaris | Node.js | Multiple | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 38 |
| CVE-2021-3711 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | None | Low | 11.4, 10 | See Note 39 |
| CVE-2021-21704 | Oracle Solaris | PHP | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | See Note 40 |
| CVE-2020-8694 | Oracle Solaris | Kernel | None | No | 5.6 | Local | High | Low | None | Changed | High | None | None | 11 | |
Notes:
1. This patch also addresses CVE-2021-29980 CVE-2021-29981 CVE-2021-29982 CVE-2021-29985 CVE-2021-29987 CVE-2021-29990 CVE-2021-29991 CVE-2021-32810 CVE-2021-38495 CVE-2021-38497 CVE-2021-38498 CVE-2021-38501 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509.2. This patch also addresses CVE-2021-29981 CVE-2021-29982 CVE-2021-29987 CVE-2021-29991 CVE-2021-38502 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509.
3. This patch also addresses CVE-2021-42096.
4. This patch also addresses CVE-2021-38500.
5. This patch also addresses CVE-2018-14340 CVE-2018-14341 CVE-2018-14342 CVE-2018-14343 CVE-2018-14344 CVE-2018-14367 CVE-2018-14368 CVE-2018-14369 CVE-2018-16056 CVE-2018-16057 CVE-2018-16058.
6. This patch also addresses CVE-2020-16042 CVE-2020-26968 CVE-2020-35113 CVE-2021-23960 CVE-2021-23964 CVE-2021-29955 CVE-2021-29967.
7. This patch also addresses CVE-2021-1820 CVE-2021-1825 CVE-2021-1826 CVE-2021-21775 CVE-2021-21779 CVE-2021-21806 CVE-2021-30661 CVE-2021-30663 CVE-2021-30665 CVE-2021-30666 CVE-2021-30682 CVE-2021-30689 CVE-2021-30720 CVE-2021-30734 CVE-2021-30744 CVE-2021-30749 CVE-2021-30758 CVE-2021-30761 CVE-2021-30762 CVE-2021-30795 CVE-2021-30797 CVE-2021-30799.
8. This patch also addresses CVE-2019-20388 CVE-2020-24977 CVE-2020-7595 CVE-2021-3517 CVE-2021-3537.
9. This patch also addresses CVE-2021-3522 CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35560 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35588 CVE-2021-35603.
10. This patch also addresses CVE-2021-22897 CVE-2021-22898.
11. This patch also addresses CVE-2021-37712 CVE-2021-37713 CVE-2021-39134 CVE-2021-39135.
12. This patch also addresses CVE-2018-19491 CVE-2018-19492.
13. This patch also addresses CVE-2021-3498 CVE-2021-3522.
14. This patch also addresses CVE-2020-36317 CVE-2021-28875 CVE-2021-28876 CVE-2021-28877 CVE-2021-28878 CVE-2021-28879 CVE-2021-29922.
15. This patch also addresses CVE-2020-5419 CVE-2021-22116.
16. This patch also addresses CVE-2021-22960.
17. This patch also addresses CVE-2021-28116 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806 CVE-2021-31807 CVE-2021-31808 CVE-2021-33620.
18. This patch also addresses CVE-2021-35940.
19. This patch also addresses CVE-2021-22898 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925.
20. This patch also addresses CVE-2021-28652 CVE-2021-31806 CVE-2021-31808.
21. This patch also addresses CVE-2021-33037.
22. This patch also addresses CVE-2020-36386 CVE-2021-36386.
23. This patch also addresses CVE-2021-22946 CVE-2021-22947.
24. This patch also addresses CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35586 CVE-2021-35588 CVE-2021-35603.
25. This patch also addresses CVE-2021-36090 CVE-2021-36373 CVE-2021-36374.
26. This patch also addresses CVE-2021-29976 CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989 CVE-2021-30547.
27. This patch also addresses CVE-2021-29969 CVE-2021-29976 CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989 CVE-2021-30547.
28. This patch also addresses CVE-2021-22901 CVE-2021-2342 CVE-2021-2356 CVE-2021-2372 CVE-2021-2385 CVE-2021-2389 CVE-2021-2390.
29. This patch also addresses CVE-2021-32804.
30. This patch also addresses CVE-2021-37712 CVE-2021-37713 CVE-2021-39134 CVE-2021-39135.
31. This patch also addresses CVE-2021-41773.
32. This patch also addresses CVE-2021-22918 CVE-2021-23362 CVE-2021-27290.
33. This patch also addresses CVE-2021-39365.
34. This patch also addresses CVE-2021-38493.
35. This patch also addresses CVE-2021-38493.
36. This patch also addresses CVE-2021-33193 CVE-2021-34798 CVE-2021-36160 CVE-2021-40438.
37. This patch also addresses CVE-2021-41773.
38. This patch also addresses CVE-2021-22931 CVE-2021-22939 CVE-2021-22940.
39. This patch also addresses CVE-2021-3712.
40. This patch also addresses CVE-2021-21705.