Oracle Solaris Third Party Bulletin - April 2023
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 18 July 2023
- 17 October 2023
- 16 January 2024
- 16 April 2024
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2023-June-23 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 58 |
| 2023-May-25 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 57 |
| 2023-April-18 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 56 and Solaris 11.3 ESU 36.31 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 65 new security patches for the Oracle Solaris Operating System. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2023-06-22
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2023-31047 | Oracle Solaris | Django | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-33621 | Oracle Solaris | Ruby | HTTP | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-33657 | Oracle Solaris | SDL | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2022-4904 | Oracle Solaris | c-ares | Multiple | Yes | 8.6 | Network | Low | None | None | Un changed |
Low | Low | High | 11.4 | |
| CVE-2022-4743 | Oracle Solaris | SDL | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-24021 | Oracle Solaris | ModSecurity | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2023-24532 | Oracle Solaris | Go | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 1 |
| CVE-2023-29531 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2023-29531 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2023-32214 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2023-32214 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2021-3618 | Oracle Solaris | Sendmail | HTTP | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | |
| CVE-2023-1992 | Oracle Solaris | Wireshark | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 6 |
| CVE-2023-28755 | Oracle Solaris | Ruby | HTTP | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-28756 | Oracle Solaris | Ruby | HTTP | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2023-24538 | Oracle Solaris | Go | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | See Note 8 |
Revision 2: Published on 2023-05-25
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-42898 | Oracle Solaris | Kerberos | Multiple | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2022-4883 | Oracle Solaris | lipXpm | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | 11.4 | |
| CVE-2023-0494 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-43618 | Oracle Solaris | GNU Multiple Precision Arithmetic Library | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-42916 | Oracle Solaris | cURL | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 9 |
| CVE-2022-44617 | Oracle Solaris | lipXpm | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 10 |
| CVE-2023-27320 | Oracle Solaris | Sudo | HTTP | No | 7.2 | Network | Low | High | None | Un changed |
High | High | High | 11.4 | |
| CVE-2023-1161 | Oracle Solaris | Wireshark | Multiple | Yes | 7.1 | Network | Low | None | Required | Un changed |
None | Low | High | 11.4 | |
| CVE-2022-28805 | Oracle Solaris | Lua | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 11 |
| CVE-2022-44792 | Oracle Solaris | Net-SNMP | SNMP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 12 |
| CVE-2023-23931 | Oracle Solaris | Python Cryptography | Multiple | Yes | 6.5 | Network | Low | None | None | Un changed |
None | Low | Low | 11.4 | |
| CVE-2022-48303 | Oracle Solaris | GNU Tar | HTTP | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2022-21123 | Oracle Solaris | Intel | None | No | 6.1 | Local | Low | Low | None | Un changed |
High | Low | None | 11.4 | See Note 13 |
| CVE-2022-40897 | Oracle Solaris | Python Packaging Authority | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-23903 | Oracle Solaris | GNOME Multimedia | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2022-39348 | Oracle Solaris | Twisted | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2022-2097 | Oracle Solaris | MySQL | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | See Note 15 |
| CVE-2023-28486 | Oracle Solaris | Sudo | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | See Note 16 |
| CVE-2022-46663 | Oracle Solaris | Less | None | No | 4.4 | Local | Low | High | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-46908 | Oracle Solaris | SQLite | None | No | 3.1 | Local | Low | High | Required | Un changed |
Low | Low | None | 11.4 | |
Revision 1: Published on 2023-04-18
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-24963 | Oracle Solaris | Apache Portable Runtime | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 17 |
| CVE-2022-25147 | Oracle Solaris | Apache Portable Runtime | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2022-32221 | Oracle Solaris | MySQL | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 18 |
| CVE-2022-23521 | Oracle Solaris | Git | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 19 |
| CVE-2023-23598 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 20 |
| CVE-2023-0430 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 21 |
| CVE-2023-0215 | Oracle Solaris | OpenSSL | HTTPS | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4, 11.3, 10 | |
| CVE-2023-23969 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-24580 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-0767 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 22 |
| CVE-2023-25728 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2023-23918 | Oracle Solaris | Node.js | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 23 |
| CVE-2023-25690 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 24 |
| CVE-2023-0568 | Oracle Solaris | PHP | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 25 |
| CVE-2023-25751 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 26 |
| CVE-2023-0616 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 27 |
| CVE-2023-0286 | Oracle Solaris | OpenSSL | HTTPS | Yes | 7.4 | Network | High | None | None | Un changed |
High | None | High | 11.4, 11.3, 10 | |
| CVE-2023-24998 | Oracle Solaris | Apache Tomcat | HTTP | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 28 |
| CVE-2023-0795 | Oracle Solaris | LibTIFF | None | No | 6.1 | Local | Low | None | Required | Un changed |
Low | None | High | 11.4 | See Note 29 |
| CVE-2023-0800 | Oracle Solaris | LibTIFF | None | No | 6.1 | Local | Low | None | Required | Un changed |
None | Low | High | 11.4 | See Note 30 |
| CVE-2022-4304 | Oracle Solaris | OpenSSL | HTTPS | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4, 11.3, 10 | |
| CVE-2022-4450 | Oracle Solaris | OpenSSL | HTTPS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-0216 | Oracle Solaris | OpenSSL | HTTPS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-0217 | Oracle Solaris | OpenSSL | HTTPS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-0401 | Oracle Solaris | OpenSSL | HTTPS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-23946 | Oracle Solaris | Git | None | No | 5.5 | Local | Low | None | Required | Un changed |
High | None | None | 11.4 | See Note 31 |
| CVE-2021-37519 | Oracle Solaris | Memcached | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2022-48281 | Oracle Solaris | LibTIFF | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2022-4203 | Oracle Solaris | OpenSSL | HTTPS | No | 4.9 | Network | Low | High | None | Un changed |
None | None | High | 11.4 | |
Notes:
1. This patch also addresses CVE-2022-41723 CVE-2022-41724 CVE-2022-41725.2. This patch also addresses CVE-2023-1945 CVE-2023-29532 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536 CVE-2023-29539 CVE-2023-29541 CVE-2023-29542 CVE-2023-29545 CVE-2023-29548 CVE-2023-29550.
3. This patch also addresses CVE-2023-0547 CVE-2023-1945 CVE-2023-29479 CVE-2023-29532 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536 CVE-2023-29539 CVE-2023-29541 CVE-2023-29542 CVE-2023-29545 CVE-2023-29548 CVE-2023-29550.
4. This patch also addresses CVE-2023-32205 CVE-2023-32206 CVE-2023-32207 CVE-2023-32211 CVE-2023-32212 CVE-2023-32213 CVE-2023-32215.
5. This patch also addresses CVE-2023-32205 CVE-2023-32206 CVE-2023-32207 CVE-2023-32211 CVE-2023-32212 CVE-2023-32213 CVE-2023-32215.
6. This patch also addresses CVE-2023-1993 CVE-2023-1994.
7. This patch also addresses CVE-2023-28756.
8. This patch also addresses CVE-2023-24534 CVE-2023-24536 CVE-2023-24537.
9. This patch also addresses CVE-2022-30115 CVE-2022-43551 CVE-2022-43552.
10. This patch also addresses CVE-2022-44617 CVE-2022-46285.
11. This patch also addresses CVE-2022-33099.
12. This patch also addresses CVE-2022-44793.
13. This patch also addresses CVE-2022-21125 CVE-2022-21127 CVE-2022-21166.
14. This patch also addresses CVE-2020-23904.
15. This patch also addresses CVE-2022-21589 CVE-2022-21592 CVE-2022-21608 CVE-2022-21617.
16. This patch also addresses CVE-2023-28487.
17. This patch also addresses CVE-2017-12613 CVE-2021-35940 CVE-2022-28331.
18. This patch also addresses CVE-2023-21840.
19. This patch also addresses CVE-2022-41903.
20. This patch also addresses CVE-2022-46871 CVE-2022-46877 CVE-2023-23599 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605.
21. This patch also addresses CVE-2022-46871 CVE-2022-46874 CVE-2022-46877 CVE-2023-23598 CVE-2023-23599 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605.
22. This patch also addresses CVE-2023-25728 CVE-2023-25729 CVE-2023-25730 CVE-2023-25732 CVE-2023-25734 CVE-2023-25735 CVE-2023-25737 CVE-2023-25738 CVE-2023-25739 CVE-2023-25742 CVE-2023-25743 CVE-2023-25744 CVE-2023-25746.
23. This patch also addresses CVE-2023-23919 CVE-2023-23920 CVE-2023-23936 CVE-2023-24807.
24. This patch also addresses CVE-2023-27522.
25. This patch also addresses CVE-2023-0567 CVE-2023-0662.
26. This patch also addresses CVE-2023-25752 CVE-2023-28162 CVE-2023-28163 CVE-2023-28164 CVE-2023-28176.
27. This patch also addresses CVE-2023-0767 CVE-2023-25728 CVE-2023-25729 CVE-2023-25730 CVE-2023-25732 CVE-2023-25734 CVE-2023-25735 CVE-2023-25737 CVE-2023-25738 CVE-2023-25739 CVE-2023-25742 CVE-2023-25746.
28. This patch also addresses CVE-2023-28708.
29. This patch also addresses CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799.
30. This patch also addresses CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804.
31. This patch also addresses CVE-2022-39253 CVE-2023-22490.