No results found

Your search did not match any results.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
  • Try one of the popular searches shown below.
  • Start a new search.
Trending Questions
 

Oracle Solaris Third Party Bulletin - April 2021


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 20 July 2021
  • 19 October 2021
  • 18 January 2022
  • 19 April 2022

References


Modification History

Date Note
2021-May-18 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 33
2021-April-20 Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 32. Solaris 11.3 ESU 36.25 was released as well.

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 49 new security patches for the Oracle Solaris Operating System.  36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 2: Published on 2021-05-18

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14343 Oracle Solaris PyYAML Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 1
CVE-2020-36242 Oracle Solaris Python cryptographic standard library Multiple Yes 9.1 Network Low None None Un
changed
High None High 11.4  
CVE-2021-1870 Oracle Solaris WebKitGTK Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 2
CVE-2021-25289 Oracle Solaris Python Imaging Library (PIL) Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 3
CVE-2021-26937 Oracle Solaris GNU Screen Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2021-26937 Oracle Solaris XTerm Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 4
CVE-2020-35492 Oracle Solaris Cairo Graphics Library None No 8.6 Local Low None Required Changed High High High 11.4  
CVE-2020-14409 Oracle Solaris LibSDL None No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 5
CVE-2020-14150 Oracle Solaris GNU Bison Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2020-17525 Oracle Solaris Apache Subversion Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2021-21300 Oracle Solaris Git Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4  
CVE-2021-23840 Oracle Solaris OpenSSL SSL/TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4, 10 See
Note 6
CVE-2021-23840 Oracle Solaris OpenSSL SSL/TLS Yes 7.5 Network Low None None Un
changed
None High None 11.4 See
Note 7
CVE-2021-23840 Oracle Solaris OpenSSL SSL/TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2007-1562 Oracle Solaris libcurl Multiple Yes 7.4 Network High None None Un
changed
High High None 11.4 See
Note 8
CVE-2021-28041 Oracle Solaris OpenSSH Multiple No 7.1 Network High Low Required Un
changed
High High High 11.4  
CVE-2021-28153 Oracle Solaris GLib None No 7.1 Local Low None Required Un
changed
None High High 11.4  
CVE-2020-35523 Oracle Solaris LibTIFF None No 7 Local High None Required Un
changed
High High High 11.4 See
Note 9
CVE-2019-9792 Oracle Solaris SpiderMonkey Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4 See
Note 10
CVE-2021-3181 Oracle Solaris Mutt Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4  
CVE-2021-2161 Oracle Solaris JDK 7 Multiple Yes 5.9 Network High None None Un
changed
None High None 11.4 See
Note 11
CVE-2021-2161 Oracle Solaris JDK 8 Multiple Yes 5.9 Network High None None Un
changed
None High None 11.4 See
Note 12
CVE-2020-36241 Oracle Solaris GNOME Multiple No 5.5 Local Low Low None Un
changed
High None None 11.4  
CVE-2021-20176 Oracle Solaris ImageMagick None No 5.5 Local Low None Required Un
changed
None None High 11.4 See
Note 13
CVE-2020-28493 Oracle Solaris Jinja2 Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2020-35521 Oracle Solaris LibTIFF None No 4.7 Local High None Required Un
changed
None None High 11.4 See
Note 14
CVE-2020-36241 Oracle Solaris GNOME Multiple No 3.9 Local Low Low Required Un
changed
None Low Low 11.4 See
Note 15
CVE-2020-8231 Oracle Solaris libcurl Multiple Yes 3.1 Network High None Required Un
changed
Low None None 11.4  

Revision 1: Published on 2021-04-20

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-9791 Oracle Solaris SpiderMonkey Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2021-3177 Oracle Solaris Python Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 16
CVE-2020-13558 Oracle Solaris WebKitGTK HTTP Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2020-28948 Oracle Solaris PEAR Multiple No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 17
CVE-2020-35457 Oracle Solaris GLib Multiple No 7.8 Local Low Low None Un
changed
High High High 11.4  
CVE-2021-20215 Oracle Solaris Privoxy Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 18
CVE-2020-8265 Oracle Solaris Node.js Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 19
CVE-2021-22173 Oracle Solaris Wireshark Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 20
CVE-2021-27218 Oracle Solaris GLib Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 21
CVE-2018-7160 Oracle Solaris Node.js Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 22
CVE-2021-27212 Oracle Solaris OpenLDAP LDAP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2021-20272 Oracle Solaris Privoxy Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 23
CVE-2021-23987 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 24
CVE-2021-23987 Oracle Solaris Thunderbird Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 25
CVE-2021-25122 Oracle Solaris Apache Tomcat None No 7 Local High Low None Un
changed
High High High 11.4 See
Note 26
CVE-2021-22191 Oracle Solaris Wireshark Multiple Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.4  
CVE-2021-2011 Oracle Solaris MySQL Multiple Yes 5.9 Network High None None Un
changed
None None High 11.4 See
Note 27
CVE-2021-23336 Oracle Solaris Django HTTP Yes 5.9 Network High None Required Un
changed
None Low High 11.4  
CVE-2021-23336 Oracle Solaris Python HTTP Yes 5.9 Network High None Required Un
changed
None Low High 11.4  
CVE-2021-3281 Oracle Solaris Django HTTP Yes 5.3 Network Low None None Un
changed
None Low None 11.4  
CVE-2021-2001 Oracle Solaris MySQL Multiple No 4.9 Network Low High None Un
changed
None None High 11.4 See
Note 28

Notes:

1. This patch also addresses CVE-2020-1747.

2. This patch also addresses CVE-2020-27918 CVE-2020-29623 CVE-2020-9947 CVE-2021-1765 CVE-2021-1789 CVE-2021-1799 CVE-2021-1801.

3. This patch also addresses CVE-2020-35654 CVE-2021-25290 CVE-2021-25291 CVE-2021-25292 CVE-2021-25293 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923.

4. This patch also addresses CVE-2021-27135.

5. This patch also addresses CVE-2020-14410.

6. This patch also addresses CVE-2021-23839 CVE-2021-23841.

7. This patch also addresses CVE-2021-23839 CVE-2021-23841.

8. This patch also addresses CVE-2020-8284 CVE-2020-8285 CVE-2020-8286.

9. This patch also addresses CVE-2020-35524.

10. This patch also addresses CVE-2019-11750.

11. This patch also addresses CVE-2021-2163.

12. This patch also addresses CVE-2021-2163.

13. This patch also addresses CVE-2021-20241 CVE-2021-20245 CVE-2021-20246.

14. This patch also addresses CVE-2020-35522.

15. This patch also addresses CVE-2021-28650.

16. This patch also addresses CVE-2021-23336.

17. This patch also addresses CVE-2020-28949.

18. This patch also addresses CVE-2020-35502 CVE-2021-20210 CVE-2021-20211 CVE-2021-20212 CVE-2021-20213 CVE-2021-20214 CVE-2021-20215.

19. This patch also addresses CVE-2020-1971 CVE-2020-8287.

20. This patch also addresses CVE-2020-26422 CVE-2021-22174.

21. This patch also addresses CVE-2021-27219.

22. This patch also addresses CVE-2021-22883 CVE-2021-22884 CVE-2021-23840.

23. This patch also addresses CVE-2021-20273 CVE-2021-20274 CVE-2021-20275 CVE-2021-20276.

24. This patch also addresses CVE-2021-23981 CVE-2021-23982 CVE-2021-23984.

25. This patch also addresses CVE-2021-23981 CVE-2021-23982 CVE-2021-23984.

26. This patch also addresses CVE-2020-9484 CVE-2021-25329.

27. This patch also addresses CVE-2021-2001 CVE-2021-2010 CVE-2021-2014 CVE-2021-2022 CVE-2021-2032 CVE-2021-2060.

28. This patch also addresses CVE-2021-2010 CVE-2021-2022 CVE-2021-2060.