Oracle Solaris Third Party Bulletin - January 2023
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 18 April 2023
- 18 July 2023
- 17 October 2023
- 16 January 2024
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2023-March-20 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 55 |
| 2023-February-14 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 54 |
| 2023-January-17 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 53 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 41 new security patches for the Oracle Solaris Operating System. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2023-03-20
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-3515 | Oracle Solaris | GnuPG | HTTP | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2023-22809 | Oracle Solaris | Sudo | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2022-3094 | Oracle Solaris | BIND | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 1 |
| CVE-2022-40898 | Oracle Solaris | Python Module | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-45143 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2022-45199 | Oracle Solaris | Python Imaging Library (PIL) | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-36760 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 2 |
| CVE-2023-0412 | Oracle Solaris | Wireshark | Multiple | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | See Note 3 |
Revision 2: Published on 2023-02-14
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-25032 | Oracle Solaris | MySQL | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2022-46340 | Oracle Solaris | X.Org | Multiple | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2021-30860 | Oracle Solaris | Poppler | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2022-25255 | Oracle Solaris | Qt Toolkit | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2022-2816 | Oracle Solaris | VIM | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2022-40304 | Oracle Solaris | libxml2 | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2022-45939 | Oracle Solaris | GNU Emacs | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2022-2309 | Oracle Solaris | libxml2 | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-32189 | Oracle Solaris | GCC Go | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2022-32221 | Oracle Solaris | libcurl | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 10 |
| CVE-2022-41715 | Oracle Solaris | GCC Go | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 11 |
| CVE-2022-2928 | Oracle Solaris | ISC DHCP | DHCP | Yes | 6.5 | Adjacent Network |
Low | None | None | Un changed |
None | None | High | 11.4 | See Note 12 |
| CVE-2022-32207 | Oracle Solaris | libcurl | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 13 |
| CVE-2022-42010 | Oracle Solaris | DBus | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2022-0718 | Oracle Solaris | OpenStack Utility Library | HTTP | No | 6 | Network | Low | High | None | Un changed |
High | Low | Low | 11.4 | |
| CVE-2022-2309 | Oracle Solaris | lxml | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-36227 | Oracle Solaris | libarchive | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-1122 | Oracle Solaris | OpenJPEG | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 15 |
| CVE-2023-21830 | Oracle Solaris | JDK 8 | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | Low | None | 11.4 | |
| CVE-2022-36113 | Oracle Solaris | Cargo | HTTP | No | 4.8 | Network | High | Low | Required | Un changed |
None | None | High | 11.4 | See Note 16 |
| CVE-2022-35252 | Oracle Solaris | libcurl | HTTP | Yes | 3.1 | Network | High | None | Required | Un changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2023-01-17
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-3970 | Oracle Solaris | LibTIFF | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-46848 | Oracle Solaris | libtasn1 | HTTP | Yes | 9.1 | Network | Low | None | None | Un changed |
High | None | High | 11.4 | |
| CVE-2022-39260 | Oracle Solaris | Git | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 17 |
| CVE-2022-3276 | Oracle Solaris | Puppet | HTTP | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2022-44638 | Oracle Solaris | Pixman | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2022-37797 | Oracle Solaris | Lighttpd | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 18 |
| CVE-2022-3204 | Oracle Solaris | Unbound | DNS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-43680 | Oracle Solaris | libexpat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-45061 | Oracle Solaris | Python | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2022-46882 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 19 |
| CVE-2022-46882 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 20 |
| CVE-2022-45063 | Oracle Solaris | XTerm | Multiple | Yes | 7.4 | Network | High | None | None | Un changed |
High | None | High | 11.4 | |
Notes:
1. This patch also addresses CVE-2022-3736 CVE-2022-3924.2. This patch also addresses CVE-2006-20001 CVE-2022-37436.
3. This patch also addresses CVE-2022-4345 CVE-2023-0411 CVE-2023-0413 CVE-2023-0414 CVE-2023-0415 CVE-2023-0416 CVE-2023-0417.
4. This patch also addresses CVE-2022-1292 CVE-2022-21515 CVE-2022-27778.
5. This patch also addresses CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344.
6. This patch also addresses CVE-2022-27337 CVE-2022-38171 CVE-2022-38784.
7. This patch also addresses CVE-2022-2817 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849 CVE-2022-2862 CVE-2022-2874 CVE-2022-2889 CVE-2022-2923 CVE-2022-2946 CVE-2022-2980 CVE-2022-3016 CVE-2022-3037 CVE-2022-3099 CVE-2022-3134 CVE-2022-3153 CVE-2022-3234 CVE-2022-3235 CVE-2022-3256 CVE-2022-3278 CVE-2022-3296 CVE-2022-3297 CVE-2022-3324 CVE-2022-3352 CVE-2022-3705.
8. This patch also addresses CVE-2022-40303.
9. This patch also addresses CVE-2022-1705 CVE-2022-1962 CVE-2022-24675 CVE-2022-27536 CVE-2022-27664 CVE-2022-28131 CVE-2022-28327 CVE-2022-29526 CVE-2022-29804 CVE-2022-30629 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30634 CVE-2022-30635 CVE-2022-32148 CVE-2022-32190.
10. This patch also addresses CVE-2022-35260 CVE-2022-42915 CVE-2022-42916 CVE-2022-42919.
11. This patch also addresses CVE-2022-2879 CVE-2022-2880 CVE-2022-41716.
12. This patch also addresses CVE-2022-2929.
13. This patch also addresses CVE-2022-32205 CVE-2022-32206 CVE-2022-32208.
14. This patch also addresses CVE-2022-42011 CVE-2022-42012.
15. This patch also addresses CVE-2021-29338.
16. This patch also addresses CVE-2022-36114.
17. This patch also addresses CVE-2022-39253.
18. This patch also addresses CVE-2022-41556.
19. This patch also addresses CVE-2022-46872 CVE-2022-46874 CVE-2022-46875 CVE-2022-46878 CVE-2022-46880 CVE-2022-46881.
20. This patch also addresses CVE-2022-45414 CVE-2022-46872 CVE-2022-46874 CVE-2022-46875 CVE-2022-46878 CVE-2022-46880 CVE-2022-46881.