Oracle Solaris Third Party Bulletin - April 2018

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 July 2018
  • 16 October 2018
  • 15 January 2019
  • 16 April 2019

References

Modification History

2018-June-15 Rev 3. Added all CVEs fixed in Solaris 11.3 SRU 33
2018-May-15 Rev 2. Added all CVEs fixed in Solaris 11.3 SRU 32
2018-April-17 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 SRU 31

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 41 new security fixes for the Oracle Solaris Operating System. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2018-06-15

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid-entiality Inte-grity Avail-ability
CVE-2018-5159 Solaris Firefox Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3 See Note 30
CVE-2018-5159 Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3 See Note 28
CVE-2018-5702 Solaris Transmission Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3
CVE-2017-13757 Solaris GNU binary utilities None No 7.8 Local Low None Required Un changed High High High 11.3, 10 See Note 27
CVE-2017-17080 Solaris GNU binary utilities None No 7.8 Local Low None Required Un changed High High High 11.3 See Note 5
CVE-2018-1000156 Solaris GNU patch utility None No 7.8 Local Low Low None Un changed High High High 11.3, 10 See Note 4
CVE-2018-6543 Solaris GNU binary utilities None No 7.8 Local Low None Required Un changed High High High 11.3 See Note 13
CVE-2018-2755 Solaris MySQL None No 7.7 Local High None Required Changed High High High 11.3 See Note 31
CVE-2018-2755 Solaris MySQL None No 7.7 Local High None Required Changed High High High 11.3 See Note 32
CVE-2017-8818 Solaris libcurl Multiple Yes 7.5 Network Low None None Un changed None None High 11.3 See Note 26
CVE-2018-5712 Solaris PHP Multiple Yes 7.5 Network Low None None Un changed None None High 11.3 See Note 29
CVE-2018-1000120 Solaris libcurl Multiple Yes 6.5 Network Low None None Un changed Low None Low 11.3 See Note 9
CVE-2018-11356 Solaris Wireshark Multiple Yes 5.9 Network High None None Un changed None None High 11.3 See Note 33
CVE-2016-8625 Solaris libcurl Multiple Yes 5.3 Network Low None None Un changed None Low None 11.3
CVE-2017-1000100 Solaris libcurl Multiple Yes 4.8 Network High None None Un changed Low None Low 11.3
CVE-2017-1000257 Solaris libcurl Multiple Yes 4.8 Network High None None Un changed Low None Low 11.3
CVE-2017-1000099 Solaris libcurl None No 4.7 Local High Low None Un changed High None None 11.3
CVE-2018-10545 Solaris PHP None No 4.4 Local Low High None Un changed High None None 11.3
CVE-2018-1000005 Solaris libcurl Multiple Yes 4.3 Network Low None Required Un changed Low None None 11.3 See Note 25
CVE-2016-10713 Solaris GNU patch utility None No 4.2 Local Low High Required Un changed None None High 11.3, 10 See Note 19
CVE-2017-1000101 Solaris libcurl Multiple Yes 4.2 Network High None Required Un changed Low None Low 11.3
CVE-2017-1000254 Solaris libcurl Multiple Yes 3.7 Network High None None Un changed None None Low 11.3
CVE-2016-6131 Solaris GNU binary utilities None No 3.3 Local Low None Required Un changed None None Low 11.3
CVE-2018-6942 Solaris FreeType None No 3.3 Local Low None Required Un changed None None Low 11.3, 10

Revision 2: Published on 2018-05-15

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid-entiality Inte-grity Avail-ability
CVE-2018-7750 Solaris Python Modules Multiple Yes 9.8 Network Low None None Un changed High High High 11.3
CVE-2017-12883 Solaris Perl Multiple Yes 9.1 Network Low None None Un changed High None High 11.3
CVE-2017-12837 Solaris Perl Multiple Yes 7.5 Network Low None None Un changed None None High 11.3
CVE-2017-14746 Solaris Samba SMB No 6.3 Adjacent Network Low None None Un changed Low Low Low 11.3, 10 See Note 17
CVE-2017-3738 Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Un changed High None None 11.3, 10 See Note 16
CVE-2018-9256 Solaris Wireshark Multiple Yes 5.3 Network Low None None Un changed None None Low 11.3 See Note 14
CVE-2018-1050 Solaris Samba SMB No 4.3 Adjacent Network Low None None Un changed None None Low 11.3 See Note 19
CVE-2018-1312 Solaris Apache HTTP server HTTP Yes 4.2 Network High None Required Un changed Low Low None 11.3 See Note 20
CVE-2018-7443 Solaris ImageMagick None No 3.3 Local Low None Required Un changed None None Low 11.3, 10 See Note 15

Revision 1: Published on 2018-04-17

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid-entiality Inte-grity Avail-ability
CVE-2018-5379 Solaris Quagga Multiple Yes 9.8 Network Low None None Un changed High High High 11.3, 10
CVE-2016-1245 Solaris Quagga Multiple Yes 9.8 Network Low None None Un changed High High High 11.3, 10
CVE-2018-5146 Solaris Firefox Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3
CVE-2018-5125 Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3 See Note 10
CVE-2017-1000158 Solaris Python Multiple Yes 8.1 Network High None None Un changed High High High 11.3, 10
CVE-2017-16611 Solaris X.Org None No 7.8 Local Low None Required Un changed High High High 11.3 See Note 11
CVE-2017-17784 Solaris Gimp None No 7.8 Local Low None Required Un changed High High High 11.3
CVE-2017-17789 Solaris Gimp None No 7.8 Local Low None Required Un changed High High High 11.3
CVE-2017-5581 Solaris VNC Multiple Yes 7.5 Network High None Required Un changed High High High 11.3, 10
CVE-2017-7392 Solaris VNC Multiple Yes 7.5 Network Low None None Un changed None None High 11.3, 10 See Note 1
CVE-2017-11143 Solaris PHP Multiple Yes 7.5 Network Low None None Un changed None None High 11.3 See Note 2
CVE-2018-2696 Solaris MySQL MySQL Protocol Yes 7.5 Network Low None None Un changed None None High 11.3 See Note 12
CVE-2018-5381 Solaris Quagga Multiple Yes 7.5 Network Low None None Un changed None None High 11.3, 10
CVE-2018-5130 Solaris Firefox Multiple Yes 7.5 Network High None Required Un changed High High High 11.3 See Note 9
CVE-2018-5148 Solaris Firefox Multiple Yes 7.5 Network High None Required Un changed High High High 11.3
CVE-2018-1000031 Solaris Unzip None No 7 Local High None Required Un changed High High High 11.3, 10 See Note 3
CVE-2018-2562 Solaris MySQL MySQL Protocol No 6.5 Network Low Low None Un changed High None None 11.3 See Note 13
CVE-2018-5712 Solaris PHP Multiple Yes 6.1 Network Low None Required Changed Low Low None 11.3 See Note 5
CVE-2018-5378 Solaris Quagga Multiple No 5.9 Network High Low None Un changed Low None High 11.3, 10
CVE-2018-5733 Solaris DHCP Server DHCP Yes 5.9 Network High None None Un changed None None High 11.3 See Note 8
CVE-2018-7584 Solaris PHP Multiple Yes 5.9 Network High None None Un changed None None High 11.3
CVE-2017-7890 Solaris PHP None No 5.5 Local Low None Required Un changed High None None 11.3
CVE-2017-15706 Solaris Apache Tomcat HTTP Yes 5.3 Network Low None None Un changed None Low None 11.3, 10
CVE-2018-7182 Solaris NTP NTP Yes 5.3 Network Low None None Un changed Low None None 11.3, 10
CVE-2018-7170 Solaris NTP NTP No 5.3 Network High Low None Un changed None High None 11.3, 10
CVE-2018-7183 Solaris NTP NTP Yes 5 Network High None Required Un changed Low Low Low 11.3, 10
CVE-2018-1305 Solaris Apache Tomcat HTTP Yes 4.8 Network High None None Un changed Low Low None 11.3, 10 See Note 6
CVE-2017-16227 Solaris Quagga Multiple No 4.3 Network Low Low None Un changed None None Low 11.3, 10
CVE-2018-7050 Solaris Irssi Multiple Yes 3.7 Network High None None Un changed None None Low 11.3 See Note 4
CVE-2018-7184 Solaris NTP NTP No 3.1 Network High Low None Un changed None None Low 11.3, 10
CVE-2018-7185 Solaris NTP NTP No 3.1 Network High Low None Un changed None None Low 11.3, 10
CVE-2017-16642 Solaris PHP None No 2.9 Local High None None Un changed Low None None 11.3 See Note 7

Notes:

  1. This fix also addresses CVE-2017-7393 CVE-2017-7394 CVE-2017-7395 CVE-2017-7396.
  2. This fix also addresses CVE-2016-10397 CVE-2017-11142 CVE-2017-11144 CVE-2017-11145 CVE-2017-11146 CVE-2017-11147.
  3. This fix also addresses CVE-2015-1315 CVE-2018-1000032 CVE-2018-1000033 CVE-2018-1000034 CVE-2018-1000035.
  4. This fix also addresses CVE-2018-0492.
  5. This fix also addresses CVE-2017-13710 CVE-2017-14529 CVE-2017-14729 CVE-2017-14745 CVE-2017-14930 CVE-2017-14932 CVE-2017-14933 CVE-2017-14934 CVE-2017-14938 CVE-2017-14939 CVE-2017-14940 CVE-2017-14974 CVE-2017-15020 CVE-2017-15021 CVE-2017-15022 CVE-2017-15023 CVE-2017-15024 CVE-2017-15025 CVE-2017-15225 CVE-2017-15938 CVE-2017-15939 CVE-2017-15996 CVE-2017-16826 CVE-2017-16827 CVE-2017-16828 CVE-2017-16829 CVE-2017-16830 CVE-2017-16831 CVE-2017-16832 CVE-2017-17121 CVE-2017-17122 CVE-2017-17123 CVE-2017-17124 CVE-2017-17125 CVE-2017-17126.
  6. This fix also addresses CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668.
  7. This fix also addresses CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2018-2562 CVE-2018-2573 CVE-2018-2583 CVE-2018-2590 CVE-2018-2591 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2645 CVE-2018-2647 CVE-2018-2665 CVE-2018-2668 CVE-2018-2696 CVE-2018-2703.
  8. This fix also addresses CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054.
  9. This fix also addresses CVE-2018-1000121 CVE-2018-1000122.
  10. This fix also addresses CVE-2018-9257 CVE-2018-9258 CVE-2018-9259 CVE-2018-9260 CVE-2018-9261 CVE-2018-9262 CVE-2018-9263 CVE-2018-9264 CVE-2018-9265 CVE-2018-9266 CVE-2018-9267 CVE-2018-9268 CVE-2018-9269 CVE-2018-9270 CVE-2018-9271 CVE-2018-9272 CVE-2018-9273 CVE-2018-9274.
  11. This fix also addresses CVE-2017-18210 CVE-2017-18211 CVE-2018-6930 CVE-2018-7470.
  12. This fix also addresses CVE-2018-0733 CVE-2018-0739.
  13. This fix also addresses CVE-2018-6759 CVE-2018-6872.
  14. This fix also addresses CVE-2017-15275.
  15. This fix also addresses CVE-2018-1000007 CVE-2018-5711 CVE-2018-5712.
  16. This fix also addresses CVE-2018-1304.
  17. This fix also addresses CVE-2016-1283 CVE-2017-12932.
  18. This fix also addresses CVE-2018-5732.
  19. This fix also addresses CVE-2018-1000156 CVE-2018-6951 CVE-2018-6952.
  20. This fix also addresses CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5131 CVE-2018-5144 CVE-2018-5145.
  21. This fix also addresses CVE-2018-1057.
  22. This fix also addresses CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301 CVE-2018-1302 CVE-2018-1303.
  23. This fix also addresses CVE-2018-5127 CVE-2018-5129 CVE-2018-5144 CVE-2018-5145 CVE-2018-5146.
  24. This fix also addresses CVE-2017-16612.
  25. This fix also addresses CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122.
  26. This fix also addresses CVE-2017-8816 CVE-2017-8817.
  27. This fix also addresses CVE-2017-12448 CVE-2017-12449 CVE-2017-12450 CVE-2017-12451 CVE-2017-12452 CVE-2017-12453 CVE-2017-12454 CVE-2017-12455 CVE-2017-12456 CVE-2017-12457 CVE-2017-12458 CVE-2017-12459 CVE-2017-12799 CVE-2017-12967 CVE-2017-13710 CVE-2017-13716 CVE-2017-14128 CVE-2017-14129 CVE-2017-14130 CVE-2017-14333.
  28. This fix also addresses CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5161 CVE-2018-5162 CVE-2018-5168 CVE-2018-5170 CVE-2018-5174 CVE-2018-5178 CVE-2018-5183 CVE-2018-5184 CVE-2018-5185.
  29. This fix also addresses CVE-2018-10546 CVE-2018-10547 CVE-2018-10548 CVE-2018-10549.
  30. This fix also addresses CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5157 CVE-2018-5158 CVE-2018-5168 CVE-2018-5174 CVE-2018-5178 CVE-2018-5183.
  31. This fix also addresses CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819.
  32. This fix also addresses CVE-2018-2758 CVE-2018-2761 CVE-2018-2766 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2782 CVE-2018-2784 CVE-2018-2787 CVE-2018-2805 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819.
  33. This fix also addresses CVE-2018-11357 CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11362.