Oracle Solaris Third Party Bulletin - January 2024
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 16 April 2024
- 16 July 2024
- 15 October 2024
- 21 January 2025
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2024-March-19 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 67 |
| 2024-February-23 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 66 |
| 2024-January-16 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 65 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 48 new security patches for the Oracle Solaris Operating System. 30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2024-03-19
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2024-0750 | Oracle Solaris | Firefox | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2024-0750 | Oracle Solaris | Thunderbird | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2023-50447 | Oracle Solaris | Python Imaging Library (PIL) | HTTP | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2023-51713 | Oracle Solaris | ProFTPD | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-1546 | Oracle Solaris | Firefox | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2024-1546 | Oracle Solaris | Thunderbird | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2024-24680 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-22195 | Oracle Solaris | Jinja2 | HTTP | Yes | 5.4 | Network | Low | None | Required | Un changed |
Low | Low | None | 11.4 | |
Revision 2: Published on 2024-02-23
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2023-38408 | Oracle Solaris | OpenSSH | SSH | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2024-25617 | Oracle Solaris | Squid | Multiple | Yes | 9.3 | Network | Low | None | None | Changed | High | Low | None | 11.4 | See Note 5 |
| CVE-2023-6856 | Oracle Solaris | Firefox | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2023-6856 | Oracle Solaris | Thunderbird | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2022-32200 | Oracle Solaris | libdwarf | Multiple | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2022-46344 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2023-5367 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2024-0207 | Oracle Solaris | Wireshark | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-22218 | Oracle Solaris | libssh | SSH | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-44487 | Oracle Solaris | Nghttp2 | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-45285 | Oracle Solaris | Go Programming Language | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2023-46751 | Oracle Solaris | Ghostscript | None | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-20918 | Oracle Solaris | JDK 8 | Multiple | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | |
| CVE-2023-47038 | Oracle Solaris | Perl | None | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2023-43787 | Oracle Solaris | X.Org | None | No | 6.7 | Local | High | None | None | Un changed |
High | None | High | 11.4 | See Note 10 |
| CVE-2023-5764 | Oracle Solaris | Ansible | None | No | 6.6 | Local | Low | Low | Required | Un changed |
High | High | None | 11.4 | |
| CVE-2023-6175 | Oracle Solaris | Wireshark | None | No | 6.6 | Local | Low | None | Required | Un changed |
Low | Low | High | 11.4 | See Note 11 |
| CVE-2023-40745 | Oracle Solaris | LibTIFF | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 12 |
| CVE-2023-51385 | Oracle Solaris | OpenSSH | SSH | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4 | |
| CVE-2014-10402 | Oracle Solaris | Perl | None | No | 6.1 | Local | Low | Low | None | Un changed |
High | None | Low | 11.4 | |
| CVE-2023-22053 | Oracle Solaris | MySQL | Multiple | No | 5.9 | Network | High | Low | None | Un changed |
Low | None | High | 11.4 | |
| CVE-2023-27371 | Oracle Solaris | libmicrohttpd | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-48795 | Oracle Solaris | OpenSSH | SSH | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2023-48795 | Oracle Solaris | Paramiko | SSH | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2023-34872 | Oracle Solaris | Poppler | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2023-39615 | Oracle Solaris | libxml2 | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2023-40305 | Oracle Solaris | GNU Indent | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2023-49990 | Oracle Solaris | eSpeak | None | No | 5.3 | Local | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2023-5363 | Oracle Solaris | OpenSSL | HTTPS | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2023-5371 | Oracle Solaris | Wireshark | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2024-01-16
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2023-43115 | Oracle Solaris | Ghostscript | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2023-49083 | Oracle Solaris | Python cryptographic standard library | HTTPS | Yes | 9.1 | Network | Low | None | None | Un changed |
None | High | High | 11.4 | |
| CVE-2023-4863 | Oracle Solaris | Libwebp | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2023-2610 | Oracle Solaris | Vim | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2023-46589 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2023-6207 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 14 |
| CVE-2023-6207 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 15 |
| CVE-2023-38559 | Oracle Solaris | Ghostscript | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 16 |
| CVE-2023-48231 | Oracle Solaris | Vim | None | No | 3.9 | Local | Low | Low | Required | Un changed |
None | Low | Low | 11.4 | |
| CVE-2023-48706 | Oracle Solaris | Vim | None | No | 3.6 | Local | High | None | Required | Un changed |
None | Low | Low | 11.4 | |
Notes:
1. This patch also addresses CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755.2. This patch also addresses CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755.
3. This patch also addresses CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553.
4. This patch also addresses CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553.
5. This patch also addresses CVE-2023-46728 CVE-2023-46846 CVE-2023-46847 CVE-2023-46848 CVE-2023-49285 CVE-2023-49286 CVE-2023-49288 CVE-2023-5824.
6. This patch also addresses CVE-2020-27545 CVE-2020-28163 CVE-2022-32200 CVE-2022-34299 CVE-2022-39170.
7. This patch also addresses CVE-2023-6377 CVE-2023-6478.
8. This patch also addresses CVE-2023-5380 CVE-2023-5574.
9. This patch also addresses CVE-2023-39326.
10. This patch also addresses CVE-2022-46285 CVE-2023-43785 CVE-2023-43786 CVE-2023-43788 CVE-2023-43789.
11. This patch also addresses CVE-2023-6174.
12. This patch also addresses CVE-2023-41175.
13. This patch also addresses CVE-2023-46246 CVE-2023-4733 CVE-2023-4734 CVE-2023-4735 CVE-2023-4736 CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781 CVE-2023-5344 CVE-2023-5441.
14. This patch also addresses CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6208 CVE-2023-6209 CVE-2023-6210 CVE-2023-6211 CVE-2023-6212 CVE-2023-6213.
15. This patch also addresses CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212.
16. This patch also addresses CVE-2023-38560.