Oracle Solaris Third Party Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Solaris Third Party Bulletin - October 2022

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

17 January 2023
18 April 2023
18 July 2023
17 October 2023

References

Modification History

Date	Note
2023-February-14	Rev 4. Added CVE-2022-42898 fixed in SRU 51 (no user action required)
2022-December-20	Rev 3. Added CVEs fixed in Solaris 11.4 SRU 52
2022-November-15	Rev 2. Added CVEs fixed in Solaris 11.4 SRU 51
2022-October-18	Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 50 and Solaris 11.3 ESU 36.30

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 56 new security patches for the Oracle Solaris Operating System. 40 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 4: Published on 2023-02-14

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-42898	Oracle Solaris	Kerberos	Kerberos	No	8.8	Network	Low	Low	None	Un changed	High	High	High	11.4

Revision 3: Published on 2022-12-20

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-35256	Oracle Solaris	Node.js	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 1
CVE-2022-37454	Oracle Solaris	Python	HTTPS	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2022-37454	Oracle Solaris	PHP	HTTPS	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2022-43548	Oracle Solaris	Node.js	HTTP	Yes	8.1	Network	High	None	None	Un changed	High	High	High	11.4	See Note 2
CVE-2015-20107	Oracle Solaris	Python	HTTP	No	7.6	Network	Low	Low	None	Un changed	Low	High	Low	11.4
CVE-2022-41323	Oracle Solaris	Django	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2022-42252	Oracle Solaris	Apache Tomcat	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	High	None	11.4
CVE-2022-42927	Oracle Solaris	Firefox	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 3
CVE-2022-42927	Oracle Solaris	Thunderbird	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 4
CVE-2022-45403	Oracle Solaris	Firefox	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 5
CVE-2022-45403	Oracle Solaris	Thunderbird	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 6
CVE-2022-31630	Oracle Solaris	PHP	None	No	7.1	Local	Low	None	Required	Un changed	High	None	High	11.4	See Note 7
CVE-2022-3597	Oracle Solaris	LibTIFF	HTTP	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4	See Note 8
CVE-2022-3570	Oracle Solaris	LibTIFF	None	No	5.5	Local	Low	None	Required	Un changed	None	None	High	11.4

Revision 2: Published on 2022-11-15

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-2207	Oracle Solaris	VIM	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 9
CVE-2022-23901	Oracle Solaris	re2c	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2022-27404	Oracle Solaris	FreeType	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 10
CVE-2022-40674	Oracle Solaris	libexpat	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2022-2867	Oracle Solaris	LibTIFF	HTTP	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4	See Note 11
CVE-2022-1920	Oracle Solaris	GStreamer	None	No	7.8	Local	Low	None	Required	Un changed	High	High	High	11.4	See Note 12
CVE-2022-2125	Oracle Solaris	VIM	None	No	7.8	Local	Low	None	Required	Un changed	High	High	High	11.4	See Note 13
CVE-2022-24765	Oracle Solaris	Git	None	No	7.8	Local	Low	Low	None	Un changed	High	High	High	11.4	See Note 14
CVE-2022-26981	Oracle Solaris	Liblouis	None	No	7.8	Local	Low	None	Required	Un changed	High	High	High	11.4
CVE-2020-10735	Oracle Solaris	Python	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2022-24070	Oracle Solaris	Apache Subversion	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 15
CVE-2022-3602	Oracle Solaris	OpenSSL	TLS	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2022-3786	Oracle Solaris	OpenSSL	TLS	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2022-29154	Oracle Solaris	RSYNC	HTTP	Yes	7.4	Network	High	None	None	Un changed	None	High	High	11.4	See Note 16
CVE-2022-29458	Oracle Solaris	Ncurses	None	No	7.1	Local	Low	None	Required	Un changed	High	None	High	11.4
CVE-2021-37750	Oracle Solaris	Kerberos	HTTP	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4
CVE-2021-46823	Oracle Solaris	Ldap Client Library For Python	HTTP	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4
CVE-2022-1348	Oracle Solaris	Rotates And Compresses Log Files	HTTP	No	6.5	Network	Low	Low	None	Un changed	None	None	High	11.4
CVE-2022-2056	Oracle Solaris	LibTIFF	HTTP	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4	See Note 17
CVE-2022-36087	Oracle Solaris	Oauth Request Signing	HTTP	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4
CVE-2021-42574	Oracle Solaris	Rust	None	No	6.3	Local	High	Low	None	Un changed	None	High	High	11.4	See Note 18
CVE-2022-3032	Oracle Solaris	Thunderbird	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.4	See Note 19
CVE-2022-40956	Oracle Solaris	Firefox	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.4	See Note 20
CVE-2022-3190	Oracle Solaris	Wireshark	None	No	5.5	Local	Low	None	Required	Un changed	None	None	High	11.4
CVE-2022-21628	Oracle Solaris	JDK 8	HTTP	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4

Revision 1: Published on 2022-10-18

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-1292	Oracle Solaris	OpenSSL	HTTPS	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4, 11.3, 10	See Note 21
CVE-2022-2274	Oracle Solaris	OpenSSL	TLS	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2022-31627	Oracle Solaris	PHP	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2022-37434	Oracle Solaris	zlib	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4
CVE-2022-31626	Oracle Solaris	PHP	HTTP	No	8.8	Network	Low	Low	None	Un changed	High	High	High	11.4	See Note 22
CVE-2022-36359	Oracle Solaris	Django	HTTP	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4
CVE-2022-2881	Oracle Solaris	BIND	HTTP	Yes	8.2	Network	Low	None	None	Un changed	Low	None	High	11.4, 10	See Note 23
CVE-2020-28196	Oracle Solaris	Kerberos	HTTPS	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.3
CVE-2022-29885	Oracle Solaris	Apache Tomcat	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 24
CVE-2022-34484	Oracle Solaris	Thunderbird	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 25
CVE-2022-2509	Oracle Solaris	GnuTLS	TLS	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2022-38472	Oracle Solaris	Firefox	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 26
CVE-2022-38472	Oracle Solaris	Thunderbird	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 27
CVE-2022-36318	Oracle Solaris	Firefox	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.4	See Note 28
CVE-2022-26373	Oracle Solaris	Zones	None	No	5.5	Local	Low	Low	None	Un changed	High	None	None	11.4
CVE-2022-2097	Oracle Solaris	OpenSSL	TLS	Yes	5.3	Network	Low	None	None	Un changed	Low	None	None	11.4

Notes:

1. This patch also addresses CVE-2018-7160 CVE-2022-32212 CVE-2022-32213 CVE-2022-32215 CVE-2022-32222 CVE-2022-35255.

2. This patch also addresses CVE-2022-3602 CVE-2022-3786.

3. This patch also addresses CVE-2022-42928 CVE-2022-42929 CVE-2022-42932.

4. This patch also addresses CVE-2022-42928 CVE-2022-42929 CVE-2022-42932.

5. This patch also addresses CVE-2022-40674 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45407 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45413 CVE-2022-45415 CVE-2022-45416 CVE-2022-45417 CVE-2022-45418 CVE-2022-45419 CVE-2022-45420 CVE-2022-45421.

6. This patch also addresses CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420 CVE-2022-45421.

7. This patch also addresses CVE-2022-31628 CVE-2022-31629.

8. This patch also addresses CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627.

9. This patch also addresses CVE-2022-2206 CVE-2022-2208 CVE-2022-2210 CVE-2022-2231 CVE-2022-2264 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522 CVE-2022-2571 CVE-2022-2580 CVE-2022-2581 CVE-2022-2598.

10. This patch also addresses CVE-2022-27405 CVE-2022-27406.

11. This patch also addresses CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-1056 CVE-2022-22844 CVE-2022-2868 CVE-2022-2869 CVE-2022-34526.

12. This patch also addresses CVE-2022-1921 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122.

13. This patch also addresses CVE-2022-2175 CVE-2022-2183.

14. This patch also addresses CVE-2022-29187.

15. This patch also addresses CVE-2021-28544.

16. This patch also addresses CVE-2019-6111.

17. This patch also addresses CVE-2022-2057 CVE-2022-2058 CVE-2022-34526.

18. This patch also addresses CVE-2021-42694 CVE-2022-21658.

19. This patch also addresses CVE-2022-3033 CVE-2022-3034 CVE-2022-3155 CVE-2022-36059 CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962.

20. This patch also addresses CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962.

21. This patch also addresses CVE-2022-2068.

22. This patch also addresses CVE-2022-31625.

23. This patch also addresses CVE-2022-2795 CVE-2022-2906 CVE-2022-3080 CVE-2022-38177 CVE-2022-38178.

24. This patch also addresses CVE-2022-34305.

25. This patch also addresses CVE-2022-2226 CVE-2022-31744 CVE-2022-34468 CVE-2022-34470 CVE-2022-34472 CVE-2022-34478 CVE-2022-34479 CVE-2022-34481 CVE-2022-34484 CVE-2022-36318 CVE-2022-36319.

26. This patch also addresses CVE-2022-38473 CVE-2022-38478.

27. This patch also addresses CVE-2022-38473 CVE-2022-38478.

28. This patch also addresses CVE-2022-36319.