Oracle Solaris Third Party Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Solaris Third Party Bulletin - January 2019

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 April 2019
16 July 2019
15 October 2019
14 January 2020

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

2019-April-16	Rev 4. Updated CVE-2018-17183 and CVE-2018-15909 fixed in Solaris 11.3 LSU 36.10
2019-March-19	Rev 3. Added CVEs fixed in Solaris 11.4 SRU 7
2019-February-19	Rev 2. Added CVEs fixed in Solaris 11.4 SRU 6
2019-January-15	Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.7 and Solaris 11.4 SRU 5

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 64 new security fixes for the Oracle Solaris Operating System. 40 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2019-03-19

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-16375	Oracle Solaris	OpenJPEG	Multiple	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4
CVE-2018-18356	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4	See Note 1
CVE-2019-6486	Oracle Solaris	Go Programming Language	Multiple	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2018-4464	Oracle Solaris	WebKitGTK+	Multiple	Yes	7.1	Network	High	None	Required	Un changed	High	High	Low	11.4	See Note 2
CVE-2019-3823	Oracle Solaris	libcurl	Multiple	Yes	7.1	Network	Low	None	Required	Un changed	None	Low	High	11.4	See Note 3
CVE-2017-1000115	Oracle Solaris	Mercurial	Multiple	Yes	6.5	Network	Low	None	None	Un changed	Low	Low	None	11.4	See Note 4
CVE-2018-1060	Oracle Solaris	Python	Multiple	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4	See Note 5
CVE-2018-1060	Oracle Solaris	Python	Multiple	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4	See Note 6
CVE-2017-17458	Oracle Solaris	Mercurial	Multiple	Yes	6.3	Network	Low	None	Required	Un changed	Low	Low	Low	11.4
CVE-2018-20482	Oracle Solaris	GNU tar	None	No	5.5	Local	Low	None	Required	Un changed	None	None	High	11.4, 10
CVE-2017-15107	Oracle Solaris	DNSmasq	Multiple	Yes	5.4	Network	High	None	None	Changed	None	Low	Low	11.4
CVE-2018-20684	Oracle Solaris	OpenSSH	Multiple	Yes	5.3	Network	High	None	Required	Un changed	None	High	None	11.4	See Note 7
CVE-2018-20685	Oracle Solaris	RCP	Multiple	Yes	5.3	Network	High	None	Required	Un changed	None	High	None	11.4, 10
CVE-2018-0495	Oracle Solaris	Netscape Security Services	None	No	5.1	Local	High	None	None	Un changed	High	None	None	11.4	See Note 8
CVE-2017-14166	Oracle Solaris	libarchive	None	No	3.3	Local	Low	None	Required	Un changed	None	None	Low	11.4	See Note 9
CVE-2017-9998	Oracle Solaris	libdwarf	None	No	3.3	Local	Low	None	Required	Un changed	None	None	Low	11.4
CVE-2014-2524	Oracle Solaris	GNU Readline	None	No	2.8	Local	Low	Low	Required	Un changed	None	Low	None	11.4

Revision 2: Published on 2019-02-19

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-16541	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4	See Note 10
CVE-2018-12395	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4	See Note 11
CVE-2018-17466	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4	See Note 12
CVE-2018-18505	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4	See Note 13
CVE-2017-17405	Oracle Solaris	Ruby	Multiple	Yes	8.1	Network	High	None	None	Un changed	High	High	High	11.4	See Note 14
CVE-2018-18311	Oracle Solaris	Perl	Multiple	Yes	8.1	Network	High	None	None	Un changed	High	High	High	11.4
CVE-2018-11759	Oracle Solaris	Apache HTTP server	Multiple	Yes	7.5	Network	Low	None	None	Un changed	High	None	None	11.4	See Note 15
CVE-2018-16395	Oracle Solaris	Ruby	Multiple	Yes	7.5	Network	Low	None	None	Un changed	None	High	None	11.4	See Note 16
CVE-2018-19486	Oracle Solaris	Git	Multiple	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4
CVE-2018-19788	Oracle Solaris	PolicyKit	None	No	7	Local	High	Low	None	Un changed	High	High	High	11.4
CVE-2017-1000385	Oracle Solaris	Erlang	Multiple	Yes	6.5	Network	High	None	None	Un changed	High	Low	None	11.4	See Note 17
CVE-2017-11465	Oracle Solaris	Ruby	Multiple	Yes	6.5	Network	Low	None	None	Un changed	Low	Low	None	11.4	See Note 18
CVE-2018-1060	Oracle Solaris	Python	Multiple	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4, 10	See Note 19
CVE-2018-10916	Oracle Solaris	LFTP	Multiple	Yes	6.5	Network	Low	None	Required	Un changed	None	High	None	11.4
CVE-2017-6512	Oracle Solaris	Perl	Multiple	Yes	5.9	Network	High	None	None	Un changed	None	High	None	11.4
CVE-2017-6512	Oracle Solaris	Perl	Multiple	Yes	5.9	Network	High	None	None	Un changed	None	High	None	11.4
CVE-2015-8327	Oracle Solaris	Foomatic Print Filter	Multiple	Yes	5.6	Network	High	None	None	Un changed	Low	Low	Low	11.4
CVE-2019-5718	Oracle Solaris	Wireshark	None	No	5.5	Local	Low	None	Required	Un changed	None	None	High	11.4	See Note 20
CVE-2018-1000222	Oracle Solaris	GD2 Graphics Draw Library	Multiple	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4
CVE-2018-15473	Oracle Solaris	OpenSSH	Multiple	Yes	5.3	Network	Low	None	None	Un changed	Low	None	None	11.4
CVE-2018-16335	Oracle Solaris	LibTIFF	None	No	5.3	Local	Low	None	Required	Un changed	Low	Low	Low	11.4	See Note 21
CVE-2018-17795	Oracle Solaris	LibTIFF	None	No	5.3	Local	Low	None	Required	Un changed	Low	Low	Low	11.4	See Note 22
CVE-2018-1000030	Oracle Solaris	Python	Multiple	No	4.3	Network	Low	High	Required	Un changed	Low	Low	Low	11.4, 10
CVE-2018-5711	Oracle Solaris	GD2 Graphics Draw Library	Multiple	Yes	4.3	Network	Low	None	Required	Un changed	None	None	Low	11.4
CVE-2018-20217	Oracle Solaris	Kerberos	Multiple	No	3.5	Network	Low	Low	Required	Un changed	None	None	Low	11.4
CVE-2018-12015	Oracle Solaris	Perl	None	No	3.3	Local	Low	None	Required	Un changed	None	Low	None	11.4
CVE-2018-12015	Oracle Solaris	Perl	None	No	3.3	Local	Low	None	Required	Un changed	None	Low	None	11.4
CVE-2017-15906	Oracle Solaris	OpenSSH	None	No	2.8	Local	Low	Low	Required	Un changed	None	Low	None	11.4

Revision 1: Published on 2019-01-15

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-6913	Oracle Solaris	Perl	Multiple	Yes	8.1	Network	High	None	None	Un changed	High	High	High	11.4	See Note 23
CVE-2018-19158	Oracle Solaris	PHP	Multiple	Yes	8.1	Network	High	None	None	Un changed	High	High	High	11.4	See Note 24
CVE-2018-17183	Oracle Solaris	Ghostscript	Multiple	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4, 11.3	See Note 25
CVE-2018-11763	Oracle Solaris	Apache HTTP server	Multiple	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2018-19628	Oracle Solaris	Wireshark	Multiple	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 26
CVE-2018-15909	Oracle Solaris	Ghostscript	Multiple	Yes	7.3	Network	Low	None	None	Un changed	Low	Low	Low	11.4, 11.3
CVE-2018-0739	Oracle Solaris	MySQL	Multiple	No	7.1	Network	Low	Low	None	Un changed	None	Low	High	11.4	See Note 27
CVE-2016-8705	Oracle Solaris	Memcached	Multiple	Yes	6.5	Network	Low	None	None	Un changed	None	Low	Low	11.4	See Note 28
CVE-2017-1000456	Oracle Solaris	Poppler	Multiple	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4
CVE-2018-3070	Oracle Solaris	MySQL	Multiple	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4	See Note 29
CVE-2018-3282	Oracle Solaris	MySQL	Multiple	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4	See Note 30
CVE-2018-3247	Oracle Solaris	MySQL	Multiple	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4	See Note 31
CVE-2018-1000115	Oracle Solaris	Memcached	Multiple	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4
CVE-2018-13988	Oracle Solaris	Poppler	None	No	5.3	Local	Low	None	Required	Un changed	Low	Low	Low	11.4
CVE-2017-18267	Oracle Solaris	Poppler	None	No	5.1	Local	High	None	None	Un changed	None	None	High	11.4
CVE-2018-0734	Oracle Solaris	OpenSSL	None	No	5.1	Local	High	None	None	Un changed	High	None	None	11.3, 10	See Note 32
CVE-2018-5407	Oracle Solaris	OpenSSL	None	No	4.8	Physical	High	Low	None	Changed	High	None	None	11.3, 10
CVE-2017-14517	Oracle Solaris	Poppler	None	No	3.3	Local	Low	None	Required	Un changed	None	None	Low	11.4	See Note 33
CVE-2018-9918	Oracle Solaris	Qpdf	None	No	3.3	Local	Low	None	Required	Un changed	None	None	Low	11.4

Notes:

This fix also addresses CVE-2019-5785.
This fix also addresses CVE-2018-4437 CVE-2018-4438 CVE-2018-4441 CVE-2018-4442 CVE-2018-4443.
This fix also addresses CVE-2018-16890 CVE-2019-3822.
This fix also addresses CVE-2017-1000116 CVE-2018-1000132 CVE-2018-13346 CVE-2018-13348.
This fix also addresses CVE-2018-1061.
This fix also addresses CVE-2018-1061.
This fix also addresses CVE-2018-20685 CVE-2019-6109 CVE-2019-6110 CVE-2019-6111.
This fix also addresses CVE-2017-5461 CVE-2018-0495.
This fix also addresses CVE-2017-14501 CVE-2017-14502 CVE-2017-14503.
This fix also addresses CVE-2018-12376 CVE-2018-12377 CVE-2018-12378 CVE-2018-12379 CVE-2018-12381 CVE-2018-12383 CVE-2018-12385 CVE-2018-12386 CVE-2018-12387.
This fix also addresses CVE-2018-12389 CVE-2018-12390 CVE-2018-12391 CVE-2018-12392 CVE-2018-12393 CVE-2018-12396 CVE-2018-12397.
This fix also addresses CVE-2018-12405 CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498.
This fix also addresses CVE-2018-18500 CVE-2018-18501.
This fix also addresses CVE-2016-2339 CVE-2017-17790 CVE-2018-8777.
This fix also addresses CVE-2018-1323.
This fix also addresses CVE-2018-16396.
This fix also addresses CVE-2017-13098 CVE-2017-13099.
This fix also addresses CVE-2016-2339 CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2017-6181 CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780.
This fix also addresses CVE-2018-1061.
This fix also addresses CVE-2019-5716 CVE-2019-5717 CVE-2019-5719.
This fix also addresses CVE-2017-11613 CVE-2018-15209 CVE-2018-17100 CVE-2018-17101.
This fix also addresses CVE-2017-18013 CVE-2018-10126 CVE-2018-10779 CVE-2018-10801 CVE-2018-12900 CVE-2018-18557 CVE-2018-18661 CVE-2018-7456 CVE-2018-8905.
This fix also addresses CVE-2018-6797 CVE-2018-6798.
This fix also addresses CVE-2018-19518.
This fix also addresses CVE-2018-17961 CVE-2018-18073 CVE-2018-18284.
This fix also addresses CVE-2018-19622 CVE-2018-19623 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628.
This fix also addresses CVE-2018-2767 CVE-2018-3058 CVE-2018-3062 CVE-2018-3064 CVE-2018-3066 CVE-2018-3070 CVE-2018-3081.
This fix also addresses CVE-2017-9951 CVE-2018-1000127.
This fix also addresses CVE-2018-2767 CVE-2018-3058 CVE-2018-3063 CVE-2018-3066 CVE-2018-3081.
This fix also addresses CVE-2018-3133 CVE-2018-3174.
This fix also addresses CVE-2018-3133 CVE-2018-3143 CVE-2018-3156 CVE-2018-3174 CVE-2018-3251 CVE-2018-3276 CVE-2018-3278 CVE-2018-3282.
This fix also addresses CVE-2018-0735 CVE-2018-5407.
This fix also addresses CVE-2017-14518 CVE-2017-14519 CVE-2017-14520 CVE-2017-14927 CVE-2017-14975 CVE-2017-14976 CVE-2017-14977 CVE-2017-15565.