Oracle Solaris Third Party Bulletin - April 2022
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 19 July 2022
- 18 October 2022
- 17 January 2023
- 18 April 2023
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2022-June-17 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 46 |
| 2022-May-17 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 45 |
| 2022-April-19 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 44 and Solaris 11.3 ESU 36.29 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 45 new security patches for the Oracle Solaris Operating System. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2022-06-17
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-25032 | Oracle Solaris | Zlib | Multiple | Yes | 8.2 | Network | Low | None | None | Un changed |
None | Low | High | 11.4 | |
| CVE-2022-1097 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2022-1097 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2022-1520 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2022-29909 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2022-28346 | Oracle Solaris | Django | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 5 |
Revision 2: Published on 2022-05-17
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-22620 | Oracle Solaris | WebKitGTK | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2022-22592 | Oracle Solaris | WebKitGTK | HTTP | Yes | 8.1 | Network | Low | None | Required | Un changed |
High | High | None | 11.4 | See Note 6 |
| CVE-2022-23308 | Oracle Solaris | libxml2 | HTTP | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-4173 | Oracle Solaris | Vim | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2021-45444 | Oracle Solaris | Zsh | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2022-0729 | Oracle Solaris | Vim | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2020-29651 | Oracle Solaris | Python | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-22946 | Oracle Solaris | MySQL | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 9 |
| CVE-2021-41771 | Oracle Solaris | GCC Go | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 10 |
| CVE-2022-21476 | Oracle Solaris | JDK 7 | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 11 |
| CVE-2022-21476 | Oracle Solaris | JDK 8 | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 12 |
| CVE-2022-4187 | Oracle Solaris | Vim | None | No | 7.3 | Local | Low | Low | Required | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2021-25220 | Oracle Solaris | BIND | DNS | No | 6.8 | Network | Low | High | None | Changed | None | High | None | 11.4, 10 | |
| CVE-2021-4136 | Oracle Solaris | Vim | None | No | 6.8 | Local | Low | Low | Required | Un changed |
High | High | Low | 11.4 | |
| CVE-2021-30897 | Oracle Solaris | WebKitGTK | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
High | None | None | 11.4 | See Note 14 |
| CVE-2021-34558 | Oracle Solaris | GCC Go | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2021-45483 | Oracle Solaris | WebKitGTK | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 15 |
| CVE-2021-36221 | Oracle Solaris | GCC Go | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-0561 | Oracle Solaris | Multimedia | None | No | 5.5 | Local | Low | Low | None | Un changed |
High | None | None | 11.4 | See Note 16 |
| CVE-2021-43519 | Oracle Solaris | Lua | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2022-24130 | Oracle Solaris | XTerm | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2021-4217 | Oracle Solaris | Unzip | None | No | 4.7 | Local | High | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2021-3448 | Oracle Solaris | DNSmasq | DNS | Yes | 4 | Network | High | None | None | Changed | None | Low | None | 11.4 | |
| CVE-2021-4115 | Oracle Solaris | Polkit | None | No | 3.3 | Local | Low | Low | None | Un changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2022-04-19
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-23852 | Oracle Solaris | libexpat | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4, 11.3 | See Note 17 |
| CVE-2022-25235 | Oracle Solaris | libexpat | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4, 11.3 | See Note 18 |
| CVE-2022-0336 | Oracle Solaris | Samba | SMB | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 19 |
| CVE-2020-25717 | Oracle Solaris | Samba | SMB | No | 8.1 | Network | Low | Low | None | Un changed |
High | High | None | 11.4 | |
| CVE-2022-22822 | Oracle Solaris | libexpat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4, 11.3 | See Note 20 |
| CVE-2022-23833 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 21 |
| CVE-2022-21712 | Oracle Solaris | Twisted | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2022-24407 | Oracle Solaris | SASL | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4, 10 | See Note 22 |
| CVE-2022-21716 | Oracle Solaris | Twisted | SSH | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-26381 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 23 |
| CVE-2022-0778 | Oracle Solaris | OpenSSL | TLS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4, 11.3, 10 | |
| CVE-2022-22720 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 24 |
| CVE-2022-0566 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 25 |
| CVE-2022-0391 | Oracle Solaris | Python | HTTP | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4 | |
| CVE-2021-43566 | Oracle Solaris | Samba | SMB | No | 2.6 | Adjacent Network |
High | Low | None | Un changed |
None | Low | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2022-1196 CVE-2022-24713 CVE-2022-28281 CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289.2. This patch also addresses CVE-2022-1196 CVE-2022-1197 CVE-2022-24713 CVE-2022-28281 CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289.
3. This patch also addresses CVE-2022-29909 CVE-2022-29911 CVE-2022-29912 CVE-2022-29913 CVE-2022-29914 CVE-2022-29916 CVE-2022-29917.
4. This patch also addresses CVE-2022-29911 CVE-2022-29912 CVE-2022-29914 CVE-2022-29916 CVE-2022-29917.
5. This patch also addresses CVE-2022-28347.
6. This patch also addresses CVE-2022-22589.
7. This patch also addresses CVE-2021-4166 CVE-2021-4192 CVE-2021-4193.
8. This patch also addresses CVE-2022-0408 CVE-2022-0413 CVE-2022-0417 CVE-2022-0443 CVE-2022-0554 CVE-2022-0572 CVE-2022-0629 CVE-2022-0685 CVE-2022-0696 CVE-2022-0714.
9. This patch also addresses CVE-2022-21245 CVE-2022-21270 CVE-2022-21303 CVE-2022-21304 CVE-2022-21344 CVE-2022-21367.
10. This patch also addresses CVE-2021-41772.
11. This patch also addresses CVE-2022-21426 CVE-2022-21434 CVE-2022-21443 CVE-2022-21496.
12. This patch also addresses CVE-2022-21426 CVE-2022-21434 CVE-2022-21443 CVE-2022-21496.
13. This patch also addresses CVE-2021-4187 CVE-2022-0128 CVE-2022-0156 CVE-2022-0158 CVE-2022-0261 CVE-2022-0318 CVE-2022-0319.
14. This patch also addresses CVE-2021-30818 CVE-2021-30823 CVE-2021-30836 CVE-2021-30884 CVE-2021-30887 CVE-2021-30888 CVE-2021-30889 CVE-2021-30890.
15. This patch also addresses CVE-2021-30936 CVE-2021-30951 CVE-2021-30952 CVE-2021-30953 CVE-2021-30954 CVE-2021-30984 CVE-2021-45481 CVE-2021-45482.
16. This patch also addresses CVE-2020-0499.
17. This patch also addresses CVE-2022-23990.
18. This patch also addresses CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315.
19. This patch also addresses CVE-2021-44142.
20. This patch also addresses CVE-2021-45960 CVE-2021-46143 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827.
21. This patch also addresses CVE-2022-22818.
22. This patch also addresses CVE-2019-19906.
23. This patch also addresses CVE-2022-26383 CVE-2022-26384 CVE-2022-26386 CVE-2022-26387 CVE-2022-26485 CVE-2022-26486.
24. This patch also addresses CVE-2022-22719 CVE-2022-22721 CVE-2022-23943.
25. This patch also addresses CVE-2022-26381 CVE-2022-26383 CVE-2022-26384 CVE-2022-26386 CVE-2022-26387 CVE-2022-26485 CVE-2022-26486.