Oracle Solaris Third Party Bulletin - April 2020
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 14 July 2020
- 20 October 2020
- 19 January 2021
- 20 April 2021
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2020-June-16 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 22 |
| 2020-May-19 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 21 |
| 2020-April-14 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.20 and Solaris 11.4 SRU 20 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 75 new security patches for the Oracle Solaris Operating System. 58 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2020-06-16
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-12519 | Oracle Solaris | Squid | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-11656 | Oracle Solaris | SQLite | Multiple | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-12388 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-12395 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-6825 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-6825 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-7065 | Oracle Solaris | PHP | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-8616 | Oracle Solaris | Bind | Multiple | Yes | 8.6 | Network | Low | None | None | Changed | None | None | High | 11.4, 10 | |
| CVE-2020-11647 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-12243 | Oracle Solaris | OpenLDAP | LDAP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-12767 | Oracle Solaris | libexif | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-13164 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-9484 | Oracle Solaris | Apache Tomcat | Multiple | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-1934 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4, 10 | |
| CVE-2020-9327 | Oracle Solaris | SQLite | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
Revision 2: Published on 2020-05-19
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-18342 | Oracle Solaris | PyYAML | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2017-5645 | Oracle Solaris | Apache Ant | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-1010238 | Oracle Solaris | GNOME Pango | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-15605 | Oracle Solaris | Node.js | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2019-9636 | Oracle Solaris | Python | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-7471 | Oracle Solaris | Django | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-9402 | Oracle Solaris | Django | HTTP | Yes | 9.1 | Network | Low | None | None | Un changed |
High | High | None | 11.4 | |
| CVE-2019-8720 | Oracle Solaris | WebKitGTK | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2019-9278 | Oracle Solaris | libexif | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-3864 | Oracle Solaris | WebKitGTK | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2020-9273 | Oracle Solaris | ProFTPD | FTP | No | 8.8 | Network | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-16789 | Oracle Solaris | Waitress | HTTP | Yes | 8.2 | Network | Low | None | None | Un changed |
Low | High | None | 11.4 | |
| CVE-2017-6363 | Oracle Solaris | LibGD | Multiple | Yes | 8.1 | Network | Low | None | Required | Un changed |
High | None | High | 11.4 | |
| CVE-2019-12526 | Oracle Solaris | Squid | HTTP | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2020-9308 | Oracle Solaris | libarchive | Multiple | Yes | 7.6 | Network | Low | None | Required | Un changed |
Low | Low | High | 11.4 | |
| CVE-2015-9541 | Oracle Solaris | Qt Toolkit | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2017-15041 | Oracle Solaris | GCC Go | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 5 |
| CVE-2018-12120 | Oracle Solaris | Node.js | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 6 |
| CVE-2019-12528 | Oracle Solaris | Squid | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2019-14907 | Oracle Solaris | Samba | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 10 | See Note 8 |
| CVE-2019-16785 | Oracle Solaris | Waitress | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | See Note 9 |
| CVE-2019-16792 | Oracle Solaris | Waitress | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2019-19956 | Oracle Solaris | libxml2 | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2019-20454 | Oracle Solaris | PCRE | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2019-6977 | Oracle Solaris | LibGD | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 10 |
| CVE-2019-9512 | Oracle Solaris | GCC Go | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 11 |
| CVE-2019-9928 | Oracle Solaris | GStreamer | RTSP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-10018 | Oracle Solaris | WebKitGTK | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-0569 | Oracle Solaris | Qt Toolkit | None | No | 7.3 | Local | Low | Low | Required | Un changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2019-15690 | Oracle Solaris | VNC | RFB | No | 7.2 | Network | Low | High | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-3855 | Oracle Solaris | libssh2 | SSH | Yes | 6.8 | Network | High | None | Required | Un changed |
None | High | High | 11.4 | See Note 13 |
| CVE-2020-2579 | Oracle Solaris | MySQL | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2019-19317 | Oracle Solaris | SQLite | Multiple | No | 6.3 | Network | Low | Low | None | Un changed |
Low | Low | Low | 11.4 | See Note 15 |
| CVE-2019-19244 | Oracle Solaris | SQLite | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2019-19948 | Oracle Solaris | ImageMagick | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | See Note 16 |
| CVE-2020-2570 | Oracle Solaris | MySQL | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | See Note 17 |
| CVE-2019-20433 | Oracle Solaris | GNU Aspell | None | No | 5.8 | Local | High | Low | None | Un changed |
Low | Low | High | 11.4 | |
| CVE-2019-15890 | Oracle Solaris | QEMU | None | No | 5.6 | Local | High | Low | None | Changed | None | None | High | 11.4 | |
| CVE-2017-18248 | Oracle Solaris | Common Unix Printing System (CUPS) | Multiple | No | 5.3 | Network | High | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2018-12121 | Oracle Solaris | Node.js | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 18 |
| CVE-2019-10218 | Oracle Solaris | Samba | Multiple | Yes | 5.3 | Network | High | None | Required | Un changed |
None | High | None | 10 | See Note 19 |
| CVE-2019-1551 | Oracle Solaris | OpenSSL | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 10 | |
| CVE-2018-18751 | Oracle Solaris | Gnu gettext | None | No | 4 | Local | Low | None | None | Un changed |
Low | None | None | 11.4 | See Note 20 |
| CVE-2019-8675 | Oracle Solaris | Common Unix Printing System (CUPS) | SNMP | No | 3.5 | Adjacent Network |
Low | Low | None | Un changed |
None | None | Low | 11.4 | See Note 21 |
| CVE-2019-14249 | Oracle Solaris | libdwarf | None | No | 3.3 | Local | Low | Low | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2019-19308 | Oracle Solaris | gnome-font-viewer | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4 | |
| CVE-2018-3639 | Oracle Solaris | Firefox | Multiple | No | 0 | Network | High | Low | None | Un changed |
None | None | None | 11.4 | |
Revision 1: Published on 2020-04-14
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-16301 | Oracle Solaris | Libpcap | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 22 |
| CVE-2019-17569 | Oracle Solaris | Apache Tomcat | Multiple | Yes | 8.6 | Network | Low | None | None | Un changed |
High | Low | Low | 10 | See Note 23 |
| CVE-2019-6477 | Oracle Solaris | Bind | DNS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 10 | |
| CVE-2020-6851 | Oracle Solaris | OpenJPEG | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-9428 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 24 |
| CVE-2020-7061 | Oracle Solaris | PHP | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 25 |
| CVE-2020-6814 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 26 |
| CVE-2020-6814 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 27 |
| CVE-2019-19232 | Oracle Solaris | Sudo | None | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | See Note 28 |
| CVE-2020-8112 | Oracle Solaris | OpenJPEG | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-15164 | Oracle Solaris | Libpcap | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2019-13038 | Oracle Solaris | mod_auth_mellon | HTTP | Yes | 5.4 | Network | Low | None | Required | Un changed |
Low | Low | None | 11.4 | |
| CVE-2018-10103 | Oracle Solaris | TCPdump | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 29 |
Notes:
1. This patch also addresses CVE-2019-20477.2. This patch also addresses CVE-2019-15604 CVE-2019-15606.
3. This patch also addresses CVE-2020-3862 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868.
4. This patch also addresses CVE-2019-12523 CVE-2019-13345 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-18860.
5. This patch also addresses CVE-2017-15042 CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-14809.
6. This patch also addresses CVE-2018-0734 CVE-2018-0735 CVE-2018-12116 CVE-2018-12121 CVE-2018-12122 CVE-2018-12123 CVE-2018-5407.
7. This patch also addresses CVE-2020-8449 CVE-2020-8450 CVE-2020-8517.
8. This patch also addresses CVE-2019-14902 CVE-2019-19344.
9. This patch also addresses CVE-2019-16786 CVE-2020-5236.
10. This patch also addresses CVE-2018-14553.
11. This patch also addresses CVE-2019-9514.
12. This patch also addresses CVE-2020-0570.
13. This patch also addresses CVE-2019-13115 CVE-2019-17498.
14. This patch also addresses CVE-2020-2574 CVE-2020-2790.
15. This patch also addresses CVE-2019-19242 CVE-2019-19244 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218.
16. This patch also addresses CVE-2019-19949 CVE-2019-19952.
17. This patch also addresses CVE-2020-2572 CVE-2020-2573 CVE-2020-2577 CVE-2020-2584 CVE-2020-2589 CVE-2020-2660.
18. This patch also addresses CVE-2019-1559 CVE-2019-5737 CVE-2019-5739.
19. This patch also addresses CVE-2019-14833 CVE-2019-14847.
20. This patch also addresses CVE-2019-9740.
21. This patch also addresses CVE-2019-8696.
22. This patch also addresses CVE-2019-15161 CVE-2019-15162 CVE-2019-15163 CVE-2019-15165.
23. This patch also addresses CVE-2020-1935 CVE-2020-1938.
24. This patch also addresses CVE-2020-9429 CVE-2020-9430 CVE-2020-9431.
25. This patch also addresses CVE-2020-7062 CVE-2020-7063.
26. This patch also addresses CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812.
27. This patch also addresses CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812.
28. This patch also addresses CVE-2019-19234.
29. This patch also addresses CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166.