Oracle Solaris Third Party Bulletin - April 2024
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 16 July 2024
- 15 October 2024
- 14 January 2025
- 15 April 2025
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2024-June-14 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 70 |
| 2024-May-24 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 69 |
| 2024-April-16 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 68 and Solaris 11.3 ESU 36.33 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 62 new security patches for the Oracle Solaris Operating System. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2024-06-14
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2023-6597 | Oracle Solaris | Python | None | No | 7.8 | Local | High | None | None | Changed | High | High | None | 11.4 | See Note 1 |
| CVE-2023-45288 | Oracle Solaris | Go Programming Language | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-2609 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2024-2609 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2024-4340 | Oracle Solaris | sqlparse | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-28219 | Oracle Solaris | Python Imaging Library (PIL) | None | No | 7.3 | Local | Low | None | None | Un changed |
Low | Low | High | 11.4 | |
| CVE-2024-21009 | Oracle Solaris | MySQL | Multiple | Yes | 6.5 | Network | High | None | None | Un changed |
None | Low | High | 11.4 | See Note 4 |
| CVE-2024-4853 | Oracle Solaris | Wireshark | Multiple | Yes | 6.4 | Network | High | None | Required | Un changed |
Low | Low | High | 11.4 | See Note 5 |
| CVE-2024-4367 | Oracle Solaris | Firefox | Multiple | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | See Note 6 |
| CVE-2024-4367 | Oracle Solaris | Thunderbird | Multiple | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | See Note 7 |
| CVE-2024-27282 | Oracle Solaris | Ruby | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2023-46118 | Oracle Solaris | RabbitMQ | HTTP | No | 4.9 | Network | Low | High | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-27281 | Oracle Solaris | Ruby | None | No | 4.5 | Local | High | None | Required | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2024-27280 | Oracle Solaris | Ruby | HTTP | No | 3.1 | Network | High | Low | None | Un changed |
Low | None | None | 11.4 | |
Revision 2: Published on 2024-05-24
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2022-37026 | Oracle Solaris | Erlang | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2023-6816 | Oracle Solaris | X.Org | None | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2022-33065 | Oracle Solaris | Libsndfile | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2023-40481 | Oracle Solaris | 7-Zip | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2024-2955 | Oracle Solaris | Wireshark | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2023-41993 | Oracle Solaris | JDK 8 | None | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2023-50269 | Oracle Solaris | Squid | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-50868 | Oracle Solaris | DNSmasq | DNSSEC | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2023-51764 | Oracle Solaris | Postfix | SMTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2024-2002 | Oracle Solaris | libdwarf | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-24258 | Oracle Solaris | freeglut | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 10 |
| CVE-2024-27982 | Oracle Solaris | Node.js | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 11 |
| CVE-2024-1013 | Oracle Solaris | UnixODBC | None | No | 7.1 | Local | Low | Low | None | Un changed |
High | None | High | 11.4 | |
| CVE-2022-47069 | Oracle Solaris | p7zip | None | No | 7 | Local | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2023-42465 | Oracle Solaris | Sudo | None | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2023-45289 | Oracle Solaris | Go Programming Language | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | High | None | 11.4 | See Note 12 |
| CVE-2024-23638 | Oracle Solaris | Squid | HTTP | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-38469 | Oracle Solaris | Avahi | DNS | No | 6.2 | Local | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 13 |
| CVE-2023-50246 | Oracle Solaris | Command-line JSON Processor | None | No | 6.2 | Local | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-5341 | Oracle Solaris | ImageMagick | None | No | 6.2 | Local | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-48795 | Oracle Solaris | libssh | SSH | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2017-6519 | Oracle Solaris | Avahi | DNS | Yes | 5.8 | Network | Low | None | None | Changed | None | None | Low | 11.4 | See Note 14 |
| CVE-2021-45261 | Oracle Solaris | GNU Patch | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 15 |
| CVE-2023-7104 | Oracle Solaris | SQLite3 | HTTP | No | 5.5 | Adjacent Network |
Low | Low | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2023-46218 | Oracle Solaris | libcurl | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | See Note 16 |
| CVE-2023-46852 | Oracle Solaris | Memcached | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 17 |
| CVE-2023-52425 | Oracle Solaris | libexpat | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2023-52426 | Oracle Solaris | libexpat | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2023-5678 | Oracle Solaris | OpenSSL | TLS | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2023-7250 | Oracle Solaris | iperf | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2024-0690 | Oracle Solaris | Ansible | None | No | 5 | Local | Low | Low | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2023-5363 | Oracle Solaris | MySQL | Multiple | No | 4.9 | Network | Low | High | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-25629 | Oracle Solaris | C-Ares Asychronous Dns Library | None | No | 4.4 | Local | Low | High | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-0853 | Oracle Solaris | libcurl | HTTP | No | 3.8 | Network | Low | High | None | Un changed |
Low | Low | None | 11.4 | |
| CVE-2023-6237 | Oracle Solaris | OpenSSL | TLS | Yes | 3.7 | Network | High | None | None | Un changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2024-04-16
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2023-51257 | Oracle Solaris | Ghostscript | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 10 | |
| CVE-2023-51765 | Oracle Solaris | Sendmail | SMTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4, 10 | |
| CVE-2023-52355 | Oracle Solaris | LibTIFF | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 18 |
| CVE-2024-0743 | Oracle Solaris | Netscape Security Services | TLS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-50868 | Oracle Solaris | Bind | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 19 |
| CVE-2023-50868 | Oracle Solaris | Unbound | DNSSEC | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 20 |
| CVE-2024-21891 | Oracle Solaris | Node.js | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 21 |
| CVE-2024-23672 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 22 |
| CVE-2024-24806 | Oracle Solaris | libuv | HTTP | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2022-40982 | Oracle Solaris | Kernel | None | No | 6.5 | Local | Low | Low | None | Changed | High | None | None | 11.4 | |
| CVE-2023-5388 | Oracle Solaris | Firefox | HTTP | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | See Note 23 |
| CVE-2023-5388 | Oracle Solaris | Thunderbird | HTTP | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | See Note 24 |
| CVE-2024-0727 | Oracle Solaris | OpenSSL | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4, 11.3, 10 | |
Notes:
1. This patch also addresses CVE-2024-0450.2. This patch also addresses CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3863 CVE-2024-3864.
3. This patch also addresses CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3863 CVE-2024-3864.
4. This patch also addresses CVE-2023-6129 CVE-2024-20994 CVE-2024-20998 CVE-2024-21000 CVE-2024-21008 CVE-2024-21013 CVE-2024-21047 CVE-2024-21054 CVE-2024-21060 CVE-2024-21062 CVE-2024-21069 CVE-2024-21087 CVE-2024-21096.
5. This patch also addresses CVE-2024-4854 CVE-2024-4855.
6. This patch also addresses CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777.
7. This patch also addresses CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777.
8. This patch also addresses CVE-2023-31102.
9. This patch also addresses CVE-2023-4408 CVE-2023-50387.
10. This patch also addresses CVE-2024-24259.
11. This patch also addresses CVE-2024-27983.
12. This patch also addresses CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785.
13. This patch also addresses CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473.
14. This patch also addresses CVE-2015-2809.
15. This patch also addresses CVE-2019-20633 CVE-2021-45261.
16. This patch also addresses CVE-2023-46219.
17. This patch also addresses CVE-2023-46853.
18. This patch also addresses CVE-2023-52356.
19. This patch also addresses CVE-2023-4408 CVE-2023-50387 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516.
20. This patch also addresses CVE-2023-50387.
21. This patch also addresses CVE-2024-21890 CVE-2024-21891 CVE-2024-21896 CVE-2024-22019.
22. This patch also addresses CVE-2024-24549.
23. This patch also addresses CVE-2024-0743 CVE-2024-2605 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616.
24. This patch also addresses CVE-2024-0743 CVE-2024-2605 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616.