Oracle Solaris Third Party Bulletin - April 2024


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 16 July 2024
  • 15 October 2024
  • 21 January 2025
  • 15 April 2025

References


Modification History

Date Note
2024-April-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 68 and Solaris 11.3 ESU 36.33

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 13 new security patches for the Oracle Solaris Operating System.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 1: Published on 2024-04-16

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-51257 Oracle Solaris JasPer None No 7.8 Local Low Low None Un
changed
High High High 10  
CVE-2023-50868 Oracle Solaris Unbound DNSSEC Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 1
CVE-2023-50868 Oracle Solaris Bind Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 2
CVE-2023-51765 Oracle Solaris Sendmail SMTP Yes 7.5 Network Low None None Un
changed
None High None 11.4  
CVE-2023-52355 Oracle Solaris LibTIFF HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 3
CVE-2024-0743 Oracle Solaris Netscape Security Services TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-21891 Oracle Solaris Node.js HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 4
CVE-2024-23672 Oracle Solaris Apache Tomcat HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 5
CVE-2024-24806 Oracle Solaris libuv HTTP Yes 7.3 Network Low None None Un
changed
Low Low Low 11.4  
CVE-2022-40982 Oracle Solaris Kernel None No 6.5 Local Low Low None Changed High None None 11.4  
CVE-2023-5388 Oracle Solaris Firefox HTTP Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.4 See
Note 6
CVE-2023-5388 Oracle Solaris Thunderbird HTTP Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.4 See
Note 7
CVE-2024-0727 Oracle Solaris OpenSSL None No 3.3 Local Low None Required Un
changed
None None Low 11.4, 11.3, 10  

Notes:

1. This patch also addresses CVE-2023-50387.

2. This patch also addresses CVE-2023-4408 CVE-2023-50387 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516.

3. This patch also addresses CVE-2023-52356.

4. This patch also addresses CVE-2024-21890 CVE-2024-21891 CVE-2024-21896 CVE-2024-22019.

5. This patch also addresses CVE-2024-24549.

6. This patch also addresses CVE-2024-0743 CVE-2024-2605 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616.

7. This patch also addresses CVE-2024-0743 CVE-2024-2605 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616.