Oracle Solaris Third Party Bulletin - January 2018

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 April 2018
  • 17 July 2018
  • 16 October 2018
  • 15 January 2019

References

Modification History

2018-March-20 Rev 3. Added all CVEs fixed in Solaris 11.3 SRU 30
2018-February-21 Rev 2. Added all CVEs fixed in Solaris 11.3 SRU 29
2018-January-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 SRU 28
 

Oracle Solaris Executive Summary

This Third Party Bulletin contains 33 new security fixes for Oracle Solaris.  22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2018-03-20

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd UserInteract Scope Confid­entiality Inte­grity Avail­ability
CVE-2018-7322 Solaris Wireshark Multiple Yes 7.5 Network Low None None Un changed None None High 11.3 See Note 20
CVE-2017-3145 Solaris DHCP Server DHCP Yes 5.3 Network Low None None Un changed None None Low 11.3 See Note 19

Revision 2: Published on 2018-02-21

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd UserInteract Scope Confid­entiality Inte­grity Avail­ability
CVE-2018-5117 Solaris Firefox Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3 See Note 10
CVE-2018-5117 Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3 See Note 15
CVE-2017-5753 Solaris NVIDIA-GFX Kernel driver Multiple No 8.2 Adjacent Network Low None None Changed High Low None 11.3 See Note 12
CVE-2017-11464 Solaris LibRSVG None No 7.8 Local Low None Required Un changed High High High 11.3  
CVE-2016-2334 Solaris P7ZIP Multiple Yes 7.5 Network Low None None Un changed None None High 11.3, 10 See Note 17
CVE-2017-15227 Solaris Irssi Multiple Yes 7.5 Network Low None None Un changed None None High 11.3 See Note 9
CVE-2017-3143 Solaris Bind Multiple Yes 7.5 Network Low None None Un changed None High None 11.3, 10 See Note 18
CVE-2017-5884 Solaris Remote Desktop Multiple Yes 7.5 Network High None Required Un changed High High High 11.3 See Note 7
CVE-2017-2885 Solaris LibSoup Multiple Yes 7.3 Network Low None None Un changed Low Low Low 11.3  
CVE-2018-5335 Solaris Wireshark Multiple Yes 5.9 Network High None None Un changed None None High 11.3 See Note 14
CVE-2017-10965 Solaris Irssi Multiple No 5.5 Adjacent Network Low Low None Un changed Low Low Low 11.3 See Note 16
CVE-2017-7846 Solaris Thunderbird Multiple No 5.5 Network Low Low Required Un changed Low Low Low 11.3 See Note 11
CVE-2015-7554 Solaris LibTIFF Multiple No 5.3 Local Low None Required Un changed Low Low Low 11.3, 10  
CVE-2015-7558 Solaris LibRSVG Multiple Yes 5.3 Network Low None None Un changed None None Low 11.3 See Note 5
CVE-2017-9765 Solaris LibKMSAgent Multiple No 4.8 Network High Low Required Un changed None High None 11.3  
CVE-2017-17880 Solaris ImageMagick None No 4.4 Local Low None Required Un changed Low None Low 11.3, 10  
CVE-2016-6163 Solaris LibRSVG Multiple Yes 4.3 Network Low None Required Un changed None None Low 11.3, 10 See Note 6
CVE-2018-5205 Solaris Irssi Multiple Yes 4.3 Network Low None Required Un changed None None Low 11.3 See Note 13
CVE-2017-13726 Solaris LibTIFF None No 3.3 Local Low None Required Un changed None None Low 11.3 See Note 8

Revision 1: Published on 2018-01-16

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd UserInteract Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-13721 Solaris X.Org None No 8.8 Local Low Low None Changed High High High 11.3, 10 See Note 4
CVE-2017-14867 Solaris Git None No 7.8 Local Low Low None Un changed High High High 11.3  
CVE-2016-10207 Solaris VNC Multiple Yes 7.5 Network Low None None Un changed None None High 11.3  
CVE-2017-9798 Solaris Apache HTTP server Multiple Yes 5.9 Network High None None Un changed High None None 11.3  
CVE-2017-9798 Solaris Apache HTTP server Multiple Yes 5.9 Network High None None Un changed High None None 11.3  
CVE-2017-17083 Solaris Wireshark Multiple Yes 5.9 Network High None None Un changed None None High 11.3 See Note 1
CVE-2017-3737 Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Un changed High None None 11.3, 10  
CVE-2017-3736 Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Un changed High None None 11.3, 10 See Note 2
CVE-2015-8213 Solaris Django Python web framework Multiple Yes 5.3 Network Low None None Un changed Low None None 11.3  
CVE-2017-7843 Solaris Firefox Multiple Yes 5.3 Network Low None None Un changed Low None None 11.3  
CVE-2017-15298 Solaris Git Multiple Yes 4.3 Network Low None Required Un changed None None Low 11.3  
CVE-2017-3736 Solaris OpenSSL SSL/TLS No 3.1 Network High Low None Un changed Low None None 11.3, 10 See Note 3

Notes:

  1. This fix also addresses CVE-2017-17084 CVE-2017-17085.
  2. This fix also addresses CVE-2015-3193 CVE-2016-0701 CVE-2017-3732 CVE-2017-3738.
  3. This fix also addresses CVE-2015-3193 CVE-2017-3732.
  4. This fix also addresses CVE-2017-13723.
  5. This fix also addresses CVE-2015-7557.
  6. This fix also addresses CVE-2016-4347 CVE-2016-4348.
  7. This fix also addresses CVE-2017-5885.
  8. This fix also addresses CVE-2017-13727.
  9. This fix also addresses CVE-2017-15228 CVE-2017-15721 CVE-2017-15722 CVE-2017-15723 CVE-2017-9468.
  10. This fix also addresses CVE-2017-2753 CVE-2018-5089 CVE-2018-5091 CVE-2018-5095 CVE-2018-5096 CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102 CVE-2018-5103 CVE-2018-5104.
  11. This fix also addresses CVE-2017-7829 CVE-2017-7845 CVE-2017-7847 CVE-2017-7848.
  12. This fix also addresses CVE-2017-5715 CVE-2017-5754.
  13. This fix also addresses CVE-2018-5206 CVE-2018-5207 CVE-2018-5208.
  14. This fix also addresses CVE-2018-5334 CVE-2018-5336.
  15. This fix also addresses CVE-2018-5089 CVE-2018-5095 CVE-2018-5096 CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102 CVE-2018-5103 CVE-2018-5104.
  16. This fix also addresses CVE-2017-10966.
  17. This fix also addresses CVE-2016-2335 CVE-2016-9296.
  18. This fix also addresses CVE-2017-3142.
  19. This fix also addresses CVE-2017-3144.
  20. This fix also addresses CVE-2018-6836 CVE-2018-7320 CVE-2018-7321 CVE-2018-7323 CVE-2018-7324 CVE-2018-7325 CVE-2018-7326 CVE-2018-7327 CVE-2018-7328 CVE-2018-7329 CVE-2018-7330 CVE-2018-7331 CVE-2018-7332 CVE-2018-7333 CVE-2018-7334 CVE-2018-7335 CVE-2018-7336 CVE-2018-7337 CVE-2018-7417 CVE-2018-7418 CVE-2018-7419 CVE-2018-7420 CVE-2018-7421.