Oracle Solaris Third Party Bulletin - January 2017
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 18 April 2017
- 18 July 2017
- 17 October 2017
- 16 January 2018
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| 2017-March-28 | Rev 4. Added all CVEs fixed in Solaris 11.3 SRU 18 |
| 2017-February-22 | Rev 3. Added all CVEs fixed in Solaris 11.3 SRU 17 |
| 2017-January-26 | Rev 2. Added Bind CVEs |
| 2017-January-17 | Rev 1. Initial Release |
Oracle Solaris Executive Summary
This Third Party Bulletin contains 53 new security fixes for the Oracle Solaris. 44 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Risk Matrix
Revision 4: Published on 2017-03-28
| CVE# | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2016-10196 | Oracle Solaris | LibEvent | Multiple | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 11.3 | See Note 1 |
| CVE-2016-4049 | Oracle Solaris | Quagga | Multiple | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 11.3, 10 | |
| CVE-2016-8707 | Oracle Solaris | ImageMagick | Multiple | Yes | 7.5 | Network | High | None | Required | Unchanged | High | High | High | 11.3, 10 | See Note 2 |
| CVE-2017-5495 | Oracle Solaris | Quagga | Multiple | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 11.3, 10 | |
| CVE-2017-5596 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 11.3 | See Note 3 |
| CVE-2017-5390 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.3 | Network | Low | None | None | Unchanged | Low | Low | Low | 11.3 | See Note 4 |
| CVE-2016-8620 | Oracle Solaris | libcurl | Multiple | Yes | 6.5 | Network | Low | None | None | Unchanged | Low | Low | None | 11.3 | |
| CVE-2016-9586 | Oracle Solaris | libcurl | Multiple | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3 | |
| CVE-2016-8615 | Oracle Solaris | libcurl | Multiple | Yes | 5.3 | Network | Low | None | None | Unchanged | None | Low | None | 11.3 | |
| CVE-2016-8618 | Oracle Solaris | libcurl | Multiple | Yes | 5.3 | Network | Low | None | None | Unchanged | None | Low | None | 11.3 | |
| CVE-2016-8619 | Oracle Solaris | libcurl | Multiple | Yes | 5.3 | Network | Low | None | None | Unchanged | None | Low | None | 11.3 | |
| CVE-2016-8621 | Oracle Solaris | libcurl | Multiple | Yes | 5.3 | Network | Low | None | None | Unchanged | Low | None | None | 11.3 | |
| CVE-2016-8624 | Oracle Solaris | libcurl | Multiple | Yes | 5.3 | Network | Low | None | None | Unchanged | None | Low | None | 11.3 | |
| CVE-2016-8743 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 4 | Network | High | None | None | Changed | None | Low | None | 11.3 | |
| CVE-2016-8616 | Oracle Solaris | libcurl | Multiple | Yes | 3.7 | Network | High | None | None | Unchanged | None | Low | None | 11.3 | |
| CVE-2016-8622 | Oracle Solaris | libcurl | Multiple | Yes | 3.7 | Network | High | None | None | Unchanged | None | Low | None | 11.3 | |
| CVE-2016-8617 | Oracle Solaris | libcurl | None | No | 3.3 | Local | Low | Low | None | Unchanged | None | Low | None | 11.3 | |
| CVE-2016-8623 | Oracle Solaris | libcurl | None | No | 3.3 | Local | Low | Low | None | Unchanged | Low | None | None | 11.3 | |
Revision 3: Published on 2017-02-22
| CVE# | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2016-3191 | Oracle Solaris | PCRE | Multiple | Yes | 9.8 | Network | Low | None | None | Unchanged | High | High | High | 11.3 | |
| CVE-2016-10003 | Oracle Solaris | Squid | Multiple | Yes | 9.4 | Network | Low | None | None | Unchanged | High | High | Low | 11.3 | See Note 5 |
| CVE-2015-7674 | Oracle Solaris | gdk-pixbuf | Multiple | Yes | 7.6 | Network | Low | None | Required | Unchanged | Low | Low | High | 11.3, 10 | |
| CVE-2016-8743 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 11.3, 10 | See Note 6 |
| CVE-2016-9899 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.3 | Network | Low | None | None | Unchanged | Low | Low | Low | 11.3 | See Note 7 |
| CVE-2017-5390 | Oracle Solaris | Firefox | Multiple | Yes | 7.3 | Network | Low | None | None | Unchanged | Low | Low | Low | 11.3 | See Note 8 |
| CVE-2016-2125 | Oracle Solaris | SMB | Multiple | No | 6.6 | Network | High | High | None | Changed | High | Low | None | 11.3, 10 | See Note 9 |
| CVE-2013-7447 | Oracle Solaris | GTK+ | Multiple | Yes | 6.5 | Network | Low | None | Required | Unchanged | None | None | High | 11.3 | |
| CVE-2015-8875 | Oracle Solaris | gdk-pixbuf | Multiple | Yes | 6.3 | Network | Low | None | Required | Unchanged | Low | Low | Low | 11.3, 10 | See Note 10 |
| CVE-2016-8740 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3, 10 | |
| CVE-2017-3731 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3, 10 | |
| CVE-2017-3732 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 5.9 | Network | High | None | None | Unchanged | High | None | None | 11.3, 10 | |
| CVE-2016-9401 | Oracle Solaris | Bash | None | No | 5.5 | Local | Low | Low | None | Unchanged | None | High | None | 11.3 | |
| CVE-2016-10168 | Oracle Solaris | GD2 Graphics Draw Library | Multiple | Yes | 5.3 | Network | Low | None | None | Unchanged | None | None | Low | 11.3 | See Note 11 |
| CVE-2016-7799 | Oracle Solaris | ImageMagick | None | No | 5.1 | Local | Low | None | None | Unchanged | Low | None | Low | 11.3, 10 | See Note 12 |
| CVE-2016-7543 | Oracle Solaris | Bash | None | No | 4.9 | Local | High | None | None | Unchanged | Low | Low | Low | 11.3, 10 | See Note 13 |
| CVE-2016-7055 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 3.7 | Network | High | None | None | Unchanged | None | None | Low | 11.3, 10 | |
| CVE-2016-9844 | Oracle Solaris | Zipinfo | None | No | 3.3 | Local | Low | None | Required | Unchanged | None | None | Low | 11.3 | |
Revision 2: Published on 2017-01-26
| CVE# | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2016-9131 | Oracle Solaris | Bind | DNS | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 11.3, 10 | See Note 14 |
Revision 1: Published on 2017-01-17
| CVE# | Product | Third Party component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2016-8704 | Oracle Solaris | Memcached | Multiple | Yes | 9.8 | Network | Low | None | None | Unchanged | High | High | High | 11.3 | See Note 15 |
| CVE-2016-5276 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Unchanged | High | High | High | 11.3 | See Note 16 |
| CVE-2016-3427 | Oracle Solaris | Apache Tomcat Version 8 | Multiple | Yes | 8.1 | Network | High | None | None | Unchanged | High | High | High | 11.3, 10 | See Note 17 |
| CVE-2016-3427 | Oracle Solaris | Apache Tomcat Version 6 | Multiple | Yes | 8.1 | Network | High | None | None | Unchanged | High | High | High | 11.3, 10 | See Note 18 |
| CVE-2016-4994 | Oracle Solaris | Gimp | None | No | 7.8 | Local | Low | None | Required | Unchanged | High | High | High | 11.3 | |
| CVE-2016-9079 | Oracle Solaris | Firefox | Multiple | Yes | 7.3 | Network | Low | None | None | Unchanged | Low | Low | Low | 11.3 | |
| CVE-2016-9079 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.3 | Network | Low | None | None | Unchanged | Low | Low | Low | 11.3 | |
| CVE-2016-9899 | Oracle Solaris | Firefox | Multiple | Yes | 7.3 | Network | Low | None | None | Unchanged | Low | Low | Low | 11.3 | See Note 19 |
| CVE-2016-9372 | Oracle Solaris | Wireshark | Multiple | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3 | |
| CVE-2016-9373 | Oracle Solaris | Wireshark | Multiple | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3 | |
| CVE-2016-9374 | Oracle Solaris | Wireshark | Multiple | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3 | |
| CVE-2016-9375 | Oracle Solaris | Wireshark | Multiple | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3 | |
| CVE-2016-9376 | Oracle Solaris | Wireshark | Multiple | Yes | 5.9 | Network | High | None | None | Unchanged | None | None | High | 11.3 | |
| CVE-2016-8745 | Oracle Solaris | Apache Tomcat Version 8 | Multiple | Yes | 5.9 | Network | High | None | None | Unchanged | High | None | None | 11.3, 10 | |
| CVE-2014-0016 | Oracle Solaris | Stunnel | Multiple | Yes | 5.3 | Network | Low | None | None | Unchanged | Low | None | None | 11.3 | |
| CVE-2014-1624 | Oracle Solaris | Python-xdg | None | No | 4 | Local | High | None | None | Unchanged | None | Low | Low | 11.3 | |
Notes:
- This fix also addresses CVE-2016-10195 CVE-2016-10197.
- This fix also addresses CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 CVE-2017-5507 CVE-2017-5508 CVE-2017-5509 CVE-2017-5510 CVE-2017-5511.
- This fix also addresses CVE-2017-5597.
- This fix also addresses CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5396.
- This fix also addresses CVE-2016-10002.
- This fix also addresses CVE-2016-0736 CVE-2016-2161.
- This fix also addresses CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9900 CVE-2016-9904 CVE-2016-9905.
- This fix also addresses CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5396.
- This fix also addresses CVE-2016-2123 CVE-2016-2126.
- This fix also addresses CVE-2015-7674.
- This fix also addresses CVE-2016-10167.
- This fix also addresses CVE-2016-7906 CVE-2016-8862 CVE-2016-9298 CVE-2016-9556 CVE-2016-9559.
- This fix also addresses CVE-2016-0634.
- This fix also addresses CVE-2016-9147 CVE-2016-9444.
- This fix also addresses CVE-2016-8705 CVE-2016-8706.
- This fix also addresses CVE-2016-5250 CVE-2016-5257 CVE-2016-5270 CVE-2016-5272 CVE-2016-5274 CVE-2016-5277 CVE-2016-5278 CVE-2016-5280 CVE-2016-5284 CVE-2016-5290 CVE-2016-5291 CVE-2016-5294 CVE-2016-5296 CVE-2016-5297 CVE-2016-9066 CVE-2016-9074.
- This fix also addresses CVE-2016-6816 CVE-2016-6817 CVE-2016-8735.
- This fix also addresses CVE-2016-6816 CVE-2016-8735.
- This fix also addresses CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905.