Oracle Solaris Third Party Bulletin - October 2024


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 21 January 2025
  • 15 April 2025
  • 15 July 2025
  • 21 October 2025

References


Modification History

Date Note
2024-December-18 Rev 3. Added CVEs fixed in Solaris 11.4 SRU 76
2024-November-26 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 75
2024-October-15 Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 74

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 30 new security patches for the Oracle Solaris Operating System.  20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2024-12-18

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-52316 Oracle Solaris Apache Tomcat HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 1

Revision 2: Published on 2024-11-26

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-41671 Oracle Solaris Twisted Multiple Yes 8.3 Network Low None None Changed Low Low Low 11.4 See
Note 2
CVE-2024-24246 Oracle Solaris Qpdf Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-38535 Oracle Solaris Suricata Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 3
CVE-2024-6239 Oracle Solaris Poppler Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-9392 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 4
CVE-2024-9392 Oracle Solaris Thunderbird Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 5
CVE-2024-9680 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4  
CVE-2024-36472 Oracle Solaris GNOME Shell Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.4  
CVE-2024-6655 Oracle Solaris Gdk-Pixbuf None No 7 Local High None Required Un
changed
High High High 11.4  
CVE-2024-40897 Oracle Solaris GStreamer None No 6.7 Local High Low Required Un
changed
High High High 11.4  
CVE-2020-35357 Oracle Solaris Gnu Scientific Library None Yes 6.5 Network Low None Required Un
changed
None None High 11.4  
CVE-2024-7006 Oracle Solaris LibTIFF None No 6.2 Local Low None None Un
changed
None None High 11.4  
CVE-2024-0914 Oracle Solaris Pkcs#11 Multiple Yes 5.9 Network High None None Un
changed
High None None 11.4  
CVE-2024-6119 Oracle Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Un
changed
None None High 11.4  
CVE-2023-52722 Oracle Solaris Ghostscript None No 5.5 Local Low None Required Un
changed
None High None 11.4 See
Note 6
CVE-2024-38428 Oracle Solaris Wget Multiple No 5.5 Local Low None Required Un
changed
High None None 11.4  
CVE-2024-37371 Oracle Solaris Kerberos Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 7
CVE-2023-52169 Oracle Solaris 7-Zip File Archiver None No 4.9 Local High None None Un
changed
Low Low Low 11.4 See
Note 8
CVE-2024-41965 Oracle Solaris VIM None No 4.8 Local Low Low Required Un
changed
Low Low Low 11.4 See
Note 9
CVE-2024-5535 Oracle Solaris OpenSSL SSL/TLS Yes 4.8 Network High None None Un
changed
Low Low None 11.4  
CVE-2024-35235 Oracle Solaris Common Unix Printing System (CUPS) None No 4.4 Local Low High None Un
changed
High None None 11.4  
CVE-2023-48232 Oracle Solaris VIM Multiple Yes 4.3 Network Low None Required Un
changed
None None Low 11.4 See
Note 10
CVE-2024-37535 Oracle Solaris Libvte None No 4 Local Low None None Un
changed
None None Low 11.4 See
Note 11
CVE-2024-43167 Oracle Solaris Unbound None No 2.8 Local Low Low Required Un
changed
None None Low 11.4  

Revision 1: Published on 2024-10-15

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-31744 Oracle Solaris JasPer HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-45230 Oracle Solaris Django HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 12
CVE-2024-8381 Oracle Solaris Firefox HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 13
CVE-2024-8381 Oracle Solaris Thunderbird HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 14
CVE-2024-42353 Oracle Solaris WebOb HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.4  

Notes:

1. This patch also addresses CVE-2024-52317 CVE-2024-52318.

2. This patch also addresses CVE-2024-41810.

3. This patch also addresses CVE-2024-38534 CVE-2024-38535 CVE-2024-38536.

4. This patch also addresses CVE-2024-8900 CVE-2024-9393 CVE-2024-9394 CVE-2024-9396 CVE-2024-9397 CVE-2024-9398 CVE-2024-9399 CVE-2024-9400 CVE-2024-9401 CVE-2024-9402.

5. This patch also addresses CVE-2024-8900 CVE-2024-9393 CVE-2024-9394 CVE-2024-9396 CVE-2024-9397 CVE-2024-9398 CVE-2024-9399 CVE-2024-9400 CVE-2024-9401 CVE-2024-9402.

6. This patch also addresses CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29510 CVE-2024-29511 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871.

7. This patch also addresses CVE-2024-37370.

8. This patch also addresses CVE-2023-52169.

9. This patch also addresses CVE-2024-41965.

10. This patch also addresses CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237.

11. This patch also addresses CVE-2024-37535.

12. This patch also addresses CVE-2024-45231.

13. This patch also addresses CVE-2024-8382 CVE-2024-8383 CVE-2024-8384 CVE-2024-8385 CVE-2024-8386 CVE-2024-8387.

14. This patch also addresses CVE-2024-8382 CVE-2024-8384 CVE-2024-8385 CVE-2024-8386 CVE-2024-8387 CVE-2024-8394.