Oracle Solaris Third Party Bulletin - July 2021
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 19 October 2021
- 18 January 2022
- 19 April 2022
- 19 July 2022
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2021-September-14 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 37. |
| 2021-August-26 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 36. |
| 2021-July-20 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 35. Solaris 11.3 ESU 36.26 released as well. |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 54 new security patches for the Oracle Solaris Operating System. 39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2021-09-14
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-34552 | Oracle Solaris | Python Imaging Library (PIL) | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-35042 | Oracle Solaris | Django | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-28091 | Oracle Solaris | Lasso Library | Multiple | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-33503 | Oracle Solaris | Urllib3 | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-32066 | Oracle Solaris | Ruby | None | No | 7 | Local | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2021-38115 | Oracle Solaris | GD2 Graphics Draw Library | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-25051 | Oracle Solaris | GNU Aspell | None | No | 5.5 | Local | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-20243 | Oracle Solaris | ImageMagick | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 2 |
| CVE-2019-11038 | Oracle Solaris | GD2 Graphics Draw Library | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2021-38165 | Oracle Solaris | Lynx | Multiple | Yes | 5.3 | Network | High | None | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2021-3672 | Oracle Solaris | C-Ares Asychronous Dns Library | None | Yes | 5 | Network | High | None | Required | Un changed |
Low | Low | Low | 11.4 | |
Revision 2: Published on 2021-08-26
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-20305 | Oracle Solaris | Nettle | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-31535 | Oracle Solaris | X.Org | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-3487 | Oracle Solaris | GNU binary utilities | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2014-3591 | Oracle Solaris | Libgcrypt | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 4 |
| CVE-2020-29361 | Oracle Solaris | p11-kit | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 5 |
| CVE-2021-20230 | Oracle Solaris | Stunnel | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-22222 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-2388 | Oracle Solaris | JDK 8 | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2021-25287 | Oracle Solaris | Python Imaging Library (PIL) | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2021-20231 | Oracle Solaris | GnuTLS | SSL/TLS | Yes | 7.4 | Network | High | None | None | Un changed |
None | High | High | 11.4 | See Note 8 |
| CVE-2020-26116 | Oracle Solaris | Urllib3 | Multiple | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4 | See Note 9 |
| CVE-2021-25217 | Oracle Solaris | ISC | DHCP | No | 6.5 | Adjacent Network |
Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-3450 | Oracle Solaris | Node.js | Multiple | No | 6.3 | Network | Low | Low | None | Un changed |
Low | Low | Low | 11.4 | See Note 10 |
| CVE-2021-20294 | Oracle Solaris | GNU binary utilities | None | No | 6.1 | Local | Low | None | Required | Un changed |
Low | None | High | 11.4 | See Note 11 |
| CVE-2021-28957 | Oracle Solaris | Python | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2021-3426 | Oracle Solaris | Python | HTTP | No | 5.7 | Adjacent Network |
Low | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-29338 | Oracle Solaris | OpenJPEG | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2003-1567 | Oracle Solaris | Install | HTTP | Yes | 4.3 | Network | Low | None | Required | Un changed |
Low | None | None | 11.4 | See Note 12 |
| CVE-2021-2369 | Oracle Solaris | JDK 7 | Multiple | Yes | 4.3 | Network | Low | None | Required | Un changed |
None | Low | None | 11.4 | See Note 13 |
| CVE-2020-25705 | Oracle Solaris | Kernel | ICMP | Yes | 4 | Network | High | None | None | Changed | Low | None | None | 11.4 | |
| CVE-2020-11736 | Oracle Solaris | file-roller | HTTP | No | 3.9 | Local | Low | Low | Required | Un changed |
None | Low | Low | 11.4 | See Note 14 |
| CVE-2021-22876 | Oracle Solaris | libcurl | HTTP | Yes | 3.7 | Network | High | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2021-22890 | Oracle Solaris | libcurl | TLS | Yes | 3.7 | Network | High | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2021-20193 | Oracle Solaris | GNU Tar | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2021-07-20
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-18032 | Oracle Solaris | Graphviz | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-3520 | Oracle Solaris | LZ4 | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-32055 | Oracle Solaris | Mutt | HTTP | Yes | 9.1 | Network | Low | None | None | Un changed |
High | None | High | 11.4 | |
| CVE-2020-14387 | Oracle Solaris | rsync | HTTP | Yes | 9.1 | Network | Low | None | None | Un changed |
High | High | None | 11.4 | |
| CVE-2021-20240 | Oracle Solaris | GDK-PixBuf | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-29967 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 15 |
| CVE-2021-29967 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 16 |
| CVE-2021-3472 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-3560 | Oracle Solaris | Polkit | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-27291 | Oracle Solaris | Pygments | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-20270 | Oracle Solaris | Pygments | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-28965 | Oracle Solaris | Ruby | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2021-2307 | Oracle Solaris | MySQL | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 17 |
| CVE-2021-31618 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4, 10 | |
| CVE-2021-3450 | Oracle Solaris | OpenSSL | TLS | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 18 |
| CVE-2021-32052 | Oracle Solaris | Django | HTTP | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | |
| CVE-2021-3449 | Oracle Solaris | OpenSSL | TLS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-33203 | Oracle Solaris | Django | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | See Note 19 |
| CVE-2021-3468 | Oracle Solaris | Avahi | None | No | 5.5 | Local | Low | Low | None | Un changed |
None | None | High | 11.4 | |
Notes:
1. This patch also addresses CVE-2021-31799 CVE-2021-31810.2. This patch also addresses CVE-2021-20244.
3. This patch also addresses CVE-2020-35448 CVE-2021-20284.
4. This patch also addresses CVE-2021-33560.
5. This patch also addresses CVE-2020-29362 CVE-2020-29363.
6. This patch also addresses CVE-2021-2341 CVE-2021-2369.
7. This patch also addresses CVE-2021-25288 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678.
8. This patch also addresses CVE-2021-20232.
9. This patch also addresses CVE-2020-26137.
10. This patch also addresses CVE-2020-7774 CVE-2021-3449.
11. This patch also addresses CVE-2020-35448 CVE-2020-35493 CVE-2020-35494 CVE-2020-35495 CVE-2020-35496 CVE-2020-35507 CVE-2021-20197.
12. This patch also addresses CVE-2004-2320 CVE-2010-0386.
13. This patch also addresses CVE-2021-2341 CVE-2021-2432.
14. This patch also addresses CVE-2020-36314.
15. This patch also addresses CVE-2021-29951 CVE-2021-29964.
16. This patch also addresses CVE-2021-29951 CVE-2021-29956 CVE-2021-29957 CVE-2021-29964.
17. This patch also addresses CVE-2021-2146 CVE-2021-2154 CVE-2021-2162 CVE-2021-2166 CVE-2021-2169 CVE-2021-2171 CVE-2021-2174 CVE-2021-2179 CVE-2021-2180 CVE-2021-2194 CVE-2021-2226 CVE-2021-23841 CVE-2021-3449.
18. This patch also addresses CVE-2021-3449.
19. This patch also addresses CVE-2021-33571.