Oracle Solaris Third Party Bulletin - January 2022
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 19 April 2022
- 19 July 2022
- 18 October 2022
- 17 January 2023
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2022-March-15 | Rev 4. Added CVEs fixed in Solaris 11.4 SRU 43 |
| 2022-February-15 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 42 |
| 2022-January-28 | Rev 2. Added CVE-2021-4034 |
| 2022-January-18 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 41 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 47 new security patches for the Oracle Solaris Operating System. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 4: Published on 2022-03-15
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-0582 | Oracle Solaris | Wireshark | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2022-22815 | Oracle Solaris | Python Imaging Library (PIL) | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2021-43818 | Oracle Solaris | LXML | HTTP | Yes | 8.8 | Network | Low | None | Required | Changed | Low | High | Low | 11.4 | |
| CVE-2021-45078 | Oracle Solaris | GNU binary utilities | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-33430 | Oracle Solaris | NumPy | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 3 |
| CVE-2021-4140 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2021-4140 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2021-4181 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 6 |
| CVE-2021-41817 | Oracle Solaris | Ruby | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2021-44540 | Oracle Solaris | Privoxy | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-44541 | Oracle Solaris | Privoxy | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 8 |
| CVE-2021-45115 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2022-22753 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 10 |
| CVE-2022-22753 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-9484 | Oracle Solaris | Apache Tomcat | HTTP | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | See Note 11 |
| CVE-2021-3737 | Oracle Solaris | Python | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 12 |
| CVE-2022-21824 | Oracle Solaris | Node.js | None | No | 4 | Local | High | None | None | Un changed |
None | Low | Low | 11.4 | See Note 13 |
Revision 3: Published on 2022-02-15
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-3711 | Oracle Solaris | MySQL | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 14 |
| CVE-2021-43527 | Oracle Solaris | Netscape Security Services | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-44790 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4, 10 | See Note 15 |
| CVE-2021-30851 | Oracle Solaris | WebKitGTK | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 16 |
| CVE-2021-3968 | Oracle Solaris | VIM | None | No | 8 | Network | Low | Low | Required | Un changed |
High | High | High | 11.4 | See Note 17 |
| CVE-2021-3770 | Oracle Solaris | VIM | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 18 |
| CVE-2021-3872 | Oracle Solaris | VIM | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 19 |
| CVE-2021-3928 | Oracle Solaris | VIM | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2021-3984 | Oracle Solaris | VIM | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 20 |
| CVE-2021-4008 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 21 |
| CVE-2021-4069 | Oracle Solaris | VIM | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-42717 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2021-44420 | Oracle Solaris | Django | HTTP | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2019-14822 | Oracle Solaris | Ibus | None | No | 7.1 | Local | Low | Low | None | Un changed |
High | High | None | 11.4 | |
| CVE-2016-2124 | Oracle Solaris | Samba | SMB | No | 6.8 | Network | High | Low | None | Un changed |
High | High | None | 11.4 | See Note 22 |
| CVE-2021-40812 | Oracle Solaris | GD2 Graphics Draw Library | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2021-43332 | Oracle Solaris | Mailman | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
High | None | None | 11.4 | See Note 23 |
| CVE-2021-39272 | Oracle Solaris | Fetchmail | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2021-3572 | Oracle Solaris | PIP | Multiple | No | 5.7 | Network | Low | Low | Required | Un changed |
None | High | None | 11.4 | |
| CVE-2020-15250 | Oracle Solaris | Junit Issues | None | No | 5.5 | Local | Low | None | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2021-27815 | Oracle Solaris | LibEXIF | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2022-21271 | Oracle Solaris | JDK 7 | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 24 |
| CVE-2022-21271 | Oracle Solaris | JDK 8 | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 25 |
| CVE-2021-39212 | Oracle Solaris | ImageMagick | None | No | 4.4 | Local | Low | Low | None | Un changed |
Low | Low | None | 11.4 | |
Revision 2: Published on 2022-01-28
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-4034 | Oracle Solaris | Polkit | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
Revision 1: Published on 2022-01-18
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2021-44227 | Oracle Solaris | Mailman | HTTP | No | 8 | Network | Low | Low | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2021-39920 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 26 |
| CVE-2021-43537 | Oracle Solaris | Firefox | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | See Note 27 |
| CVE-2021-43537 | Oracle Solaris | Thunderbird | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | See Note 28 |
| CVE-2021-21707 | Oracle Solaris | PHP | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2022-0581 CVE-2022-0583 CVE-2022-0585 CVE-2022-0586.2. This patch also addresses CVE-2022-22816 CVE-2022-22817.
3. This patch also addresses CVE-2021-34141 CVE-2021-41495 CVE-2021-41496.
4. This patch also addresses CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22744 CVE-2022-22745 CVE-2022-22746 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751.
5. This patch also addresses CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22744 CVE-2022-22745 CVE-2022-22746 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751.
6. This patch also addresses CVE-2021-4182 CVE-2021-4183 CVE-2021-4184 CVE-2021-4185.
7. This patch also addresses CVE-2021-41819.
8. This patch also addresses CVE-2021-44542 CVE-2021-44543.
9. This patch also addresses CVE-2021-45116 CVE-2021-45452.
10. This patch also addresses CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764.
11. This patch also addresses CVE-2022-23181.
12. This patch also addresses CVE-2021-3733.
13. This patch also addresses CVE-2021-44531 CVE-2021-44532 CVE-2021-44533.
14. This patch also addresses CVE-2021-22926 CVE-2021-35604 CVE-2021-35624.
15. This patch also addresses CVE-2021-44224.
16. This patch also addresses CVE-2021-30846 CVE-2021-30848 CVE-2021-30849 CVE-2021-30858 CVE-2021-41133 CVE-2021-42762.
17. This patch also addresses CVE-2021-3973 CVE-2021-3974.
18. This patch also addresses CVE-2021-3778 CVE-2021-3796.
19. This patch also addresses CVE-2021-3875 CVE-2021-3903.
20. This patch also addresses CVE-2021-4019.
21. This patch also addresses CVE-2021-4009 CVE-2021-4010 CVE-2021-4011.
22. This patch also addresses CVE-2020-17049 CVE-2020-25717 CVE-2020-25718 CVE-2020-25719 CVE-2020-25721 CVE-2020-25722 CVE-2021-23192 CVE-2021-3738.
23. This patch also addresses CVE-2021-43331.
24. This patch also addresses CVE-2022-21248 CVE-2022-21282 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21349 CVE-2022-21360 CVE-2022-21365.
25. This patch also addresses CVE-2022-21248 CVE-2022-21282 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21349 CVE-2022-21360 CVE-2022-21365.
26. This patch also addresses CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39926 CVE-2021-39928 CVE-2021-39929.
27. This patch also addresses CVE-2021-43536 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546.
28. This patch also addresses CVE-2021-43528 CVE-2021-43536 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546.