Oracle Solaris Third Party Bulletin - April 2024


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 16 July 2024
  • 15 October 2024
  • 21 January 2025
  • 15 April 2025

References


Modification History

Date Note
2024-May-24 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 69
2024-April-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 68 and Solaris 11.3 ESU 36.33

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 50 new security patches for the Oracle Solaris Operating System.  30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 2: Published on 2024-05-24

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-37026 Oracle Solaris Erlang Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2023-6816 Oracle Solaris X.Org None Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-33065 Oracle Solaris Libsndfile None No 7.8 Local Low None Required Un
changed
High High High 11.4  
CVE-2023-40481 Oracle Solaris 7-Zip None No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 1
CVE-2024-2955 Oracle Solaris Wireshark None No 7.8 Local Low None Required Un
changed
High High High 11.4  
CVE-2023-41993 Oracle Solaris JDK 8 None Yes 7.5 Network High None Required Un
changed
High High High 11.4  
CVE-2023-50269 Oracle Solaris Squid HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2023-50868 Oracle Solaris DNSmasq DNSSEC Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 2
CVE-2023-51764 Oracle Solaris Postfix SMTP Yes 7.5 Network Low None None Un
changed
None High None 11.4  
CVE-2024-2002 Oracle Solaris libdwarf Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-24258 Oracle Solaris freeglut HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 3
CVE-2024-27982 Oracle Solaris Node.js HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 4
CVE-2024-1013 Oracle Solaris UnixODBC None No 7.1 Local Low Low None Un
changed
High None High 11.4  
CVE-2022-47069 Oracle Solaris p7zip None No 7 Local High None Required Un
changed
High High High 11.4  
CVE-2023-42465 Oracle Solaris Sudo None No 7 Local High Low None Un
changed
High High High 11.4  
CVE-2023-45289 Oracle Solaris Go Programming Language Multiple Yes 6.5 Network Low None Required Un
changed
None High None 11.4 See
Note 5
CVE-2024-23638 Oracle Solaris Squid HTTP No 6.5 Network Low Low None Un
changed
None None High 11.4  
CVE-2023-38469 Oracle Solaris Avahi DNS No 6.2 Local Low None None Un
changed
None None High 11.4 See
Note 6
CVE-2023-50246 Oracle Solaris Command-line JSON Processor None No 6.2 Local Low None None Un
changed
None None High 11.4  
CVE-2023-5341 Oracle Solaris ImageMagick None No 6.2 Local Low None None Un
changed
None None High 11.4  
null Oracle Solaris HPLIP Multiple No 6.1 Local Low Low Required Un
changed
Low High Low 11.4  
CVE-2023-48795 Oracle Solaris libssh SSH Yes 5.9 Network High None None Un
changed
None High None 11.4  
CVE-2017-6519 Oracle Solaris Avahi DNS Yes 5.8 Network Low None None Changed None None Low 11.4 See
Note 7
CVE-2021-45261 Oracle Solaris GNU Patch None No 5.5 Local Low None Required Un
changed
None None High 11.4 See
Note 8
CVE-2023-7104 Oracle Solaris SQLite3 HTTP No 5.5 Adjacent
Network
Low Low None Un
changed
Low Low Low 11.4  
CVE-2023-46218 Oracle Solaris libcurl HTTP Yes 5.3 Network Low None None Un
changed
Low None None 11.4 See
Note 9
CVE-2023-46852 Oracle Solaris Memcached HTTP Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 10
CVE-2023-52425 Oracle Solaris libexpat HTTP Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2023-52426 Oracle Solaris libexpat HTTP Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2023-5678 Oracle Solaris OpenSSL TLS Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2023-7250 Oracle Solaris iperf HTTP Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
null Oracle Solaris OpenLDAP server Multiple Yes 5.3 Network Low None None Un
changed
Low None None 11.4  
CVE-2024-0690 Oracle Solaris Ansible None No 5 Local Low Low Required Un
changed
High None None 11.4  
CVE-2023-5363 Oracle Solaris MySQL Multiple No 4.9 Network Low High None Un
changed
None None High 11.4  
CVE-2024-25629 Oracle Solaris C-Ares Asychronous Dns Library None No 4.4 Local Low High None Un
changed
None None High 11.4  
CVE-2024-0853 Oracle Solaris libcurl HTTP No 3.8 Network Low High None Un
changed
Low Low None 11.4  
CVE-2023-6237 Oracle Solaris OpenSSL TLS Yes 3.7 Network High None None Un
changed
None None Low 11.4  

Revision 1: Published on 2024-04-16

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-51257 Oracle Solaris Ghostscript None No 7.8 Local Low Low None Un
changed
High High High 10  
CVE-2023-50868 Oracle Solaris Unbound DNSSEC Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 11
CVE-2023-50868 Oracle Solaris Bind Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 12
CVE-2023-51765 Oracle Solaris Sendmail SMTP Yes 7.5 Network Low None None Un
changed
None High None 11.4  
CVE-2023-52355 Oracle Solaris LibTIFF HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 13
CVE-2024-0743 Oracle Solaris Netscape Security Services TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-21891 Oracle Solaris Node.js HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 14
CVE-2024-23672 Oracle Solaris Apache Tomcat HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 15
CVE-2024-24806 Oracle Solaris libuv HTTP Yes 7.3 Network Low None None Un
changed
Low Low Low 11.4  
CVE-2022-40982 Oracle Solaris Kernel None No 6.5 Local Low Low None Changed High None None 11.4  
CVE-2023-5388 Oracle Solaris Firefox HTTP Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.4 See
Note 16
CVE-2023-5388 Oracle Solaris Thunderbird HTTP Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.4 See
Note 17
CVE-2024-0727 Oracle Solaris OpenSSL None No 3.3 Local Low None Required Un
changed
None None Low 11.4, 11.3, 10  

Notes:

1. This patch also addresses CVE-2023-31102.

2. This patch also addresses CVE-2023-4408 CVE-2023-50387.

3. This patch also addresses CVE-2024-24259.

4. This patch also addresses CVE-2024-27983.

5. This patch also addresses CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785.

6. This patch also addresses CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473.

7. This patch also addresses CVE-2015-2809.

8. This patch also addresses CVE-2019-20633 CVE-2021-45261.

9. This patch also addresses CVE-2023-46219.

10. This patch also addresses CVE-2023-46853.

11. This patch also addresses CVE-2023-50387.

12. This patch also addresses CVE-2023-4408 CVE-2023-50387 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516.

13. This patch also addresses CVE-2023-52356.

14. This patch also addresses CVE-2024-21890 CVE-2024-21891 CVE-2024-21896 CVE-2024-22019.

15. This patch also addresses CVE-2024-24549.

16. This patch also addresses CVE-2024-0743 CVE-2024-2605 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616.

17. This patch also addresses CVE-2024-0743 CVE-2024-2605 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616.