Oracle Solaris Third Party Bulletin - January 2016

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 19 April 2016
  • 19 July 2016
  • 18 October 2016
  • 17 January 2017

References

Modification History

2016-April-12 Rev 5. Added multiple Samba CVEs
2016-March-18 Rev 4. Added all CVEs fixed in Solaris 11.3 SRU 6.5
2016-March-15 Rev 3. Added CVE-2016-1285, CVE-2016-1286
2016-February-19 Rev 2. Added all CVEs fixed in Solaris 11.3 SRU 5.6
2016-January-19 Rev 1. Initial Release

Oracle Solaris Executive Summary

This Third Party Bulletin contains 84 new security fixes for the Oracle Solaris. 69 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Risk Matrix

Revision 5: Published on 2016-04-12

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-2118 Solaris Multiple Samba Yes 6.8 Network Medium None Partial+ Partial+ Partial+ 11.3. 10
CVE-2016-2115 Solaris Multiple Samba Yes 6.8 Network Medium None Partial+ Partial+ Partial+ 11.3. 10
CVE-2016-2111 Solaris Multiple Samba Yes 4.3 Network Medium None Partial+ None None 11.3. 10
CVE-2016-2112 Solaris Multiple Samba Yes 4.3 Network Medium None None Partial+ None 11.3, 10
CVE-2016-2110 Solaris Multiple Samba Yes 4.3 Network Medium None None Partial None 11.3. 10
CVE-2015-5370 Solaris Multiple Samba Yes 4.3 Network Medium None None None Partial+ 11.3. 10

Revision 4: Published on 2016-03-18

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-0799 Solaris SSL/TLS OpenSSL Yes 10.0 Network Low None Complete Complete Complete 10
CVE-2015-3280 Solaris Multiple OpenStack Compute (Nova) No 6.8 Network Low Single None None Complete 11.3
CVE-2015-5174 Solaris Multiple Apache Tomcat Yes 6.8 Network Medium None Partial Partial Partial 11.3, 10 See Note 2
CVE-2014-3636 Solaris None DBus No 6.6 Local Medium Single Complete Complete Complete 11.3 See Note 10
CVE-2015-7705 Solaris Multiple NTP Yes 6.4 Network Low None None Partial Partial 11.3, 10 See Note 3
CVE-2015-5252 Solaris Multiple Samba Yes 5.0 Network Low None None Partial None 11.3, 10
CVE-2016-0797 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 10
CVE-2015-5146 Solaris Multiple NTP No 4.9 Adjacent Network Medium Single Partial Partial Partial 11.3
CVE-2015-5299 Solaris None Samba No 4.6 Local Low Single Complete None None 11.3, 10
CVE-2015-5346 Solaris None Apache Tomcat No 4.4 Local Medium None Partial Partial Partial 11.3 See Note 8
CVE-2014-3566 Solaris HTTP Apache HTTP Server Yes 4.3 Network Medium None Partial None None 10
CVE-2015-3197 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None Partial None None 10
CVE-2015-4000 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None None Partial None 10
CVE-2015-3197 Solaris SSL/TLS Wanboot Yes 4.3 Network Medium None Partial None None 10
CVE-2016-0800 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None Partial None None 10
CVE-2016-0703 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None Partial None None 10
CVE-2016-0704 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None Partial None None 10
CVE-2015-5296 Solaris None Samba No 3.0 Local Medium Single Partial+ Partial+ None 11.3, 10
CVE-2015-5300 Solaris Multiple NTP Yes 2.6 Network High None None Partial None 11.3, 10
CVE-2014-3533 Solaris None DBus No 2.1 Local Low None None None Partial 11.3 See Note 9
CVE-2016-2533 Solaris None Python Imaging Library (PIL) No 2.1 Local Low None None None Partial 11.3
CVE-2014-3532 Solaris None DBus No 1.9 Local Medium None None None Partial 11.3 See Note 11

Revision 3: Published on 2016-03-15

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-1285 Solaris Bind Bind Yes 5.0 Network Low None None None Partial+ 11.3, 10 See Note 1

Revision 2: Published on 2016-02-19

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-3217 Solaris Multiple PCRE Yes 9.3 Network Medium None Complete Complete Complete 11.3 See Note 4
CVE-2012-2814 Solaris Multiple LibEXIF Yes 7.5 Network Low None Partial Partial Partial 10
CVE-2015-3144 Solaris Multiple libcurl Yes 7.5 Network Low None Partial Partial Partial 11.3
CVE-2015-3145 Solaris Multiple libcurl Yes 7.5 Network Low None Partial Partial Partial 11.3
CVE-2015-8557 Solaris Multiple Pygments Yes 7.5 Network Low None Partial Partial Partial 11.3
CVE-2004-0548 Solaris Multiple Aspell No 7.2 Local Low None Complete Complete Complete 10
CVE-2015-6564 Solaris None OpenSSH No 6.9 Local Medium None Complete Complete Complete 11.3
CVE-2013-6418 Solaris Multiple PYWBEM Yes 5.8 Network Medium None Partial Partial None 11.3 See Note 5
CVE-2015-8605 Solaris Multiple DHCP Server No 5.7 Adjacent Network Medium None None None Complete 11.3
CVE-2014-3566 Solaris Multiple OpenPegasus CIM Server Yes 5.0 Network Low None Partial None None 11.3
CVE-2014-0015 Solaris Multiple libcurl Yes 5.0 Network Low None None Partial None 11.3 See Note 6
CVE-2015-3148 Solaris Multiple libcurl Yes 5.0 Network Low None None Partial None 11.3
CVE-2015-3153 Solaris Multiple libcurl Yes 5.0 Network Low None Partial None None 11.3
CVE-2015-7995 Solaris Multiple libxslt Yes 5.0 Network Low None None None Partial 11.3
CVE-2015-3195 Solaris SSL/TLS WanBoot Yes 5.0 Network Low None Partial None None 10
CVE-2015-4000 Solaris Multiple Thunderbird Yes 4.3 Network Medium None None Partial None 11.3
CVE-2015-3236 Solaris Multiple libcurl Yes 4.3 Network Medium None Partial None None 11.3 See Note 7
CVE-2015-5352 Solaris Multiple OpenSSH Yes 4.3 Network Medium None None Partial None 11.3
CVE-2015-8733 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8711 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8712 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8713 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8714 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8715 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8716 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8717 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8718 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8719 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8720 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8721 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8722 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8723 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8724 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8725 Solaris Multiple Wireshark Yes 4.3 Network Medium None None Partial None 11.3
CVE-2015-8726 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8727 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8728 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8729 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8730 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8731 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-8732 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3
CVE-2015-7942 Solaris Multiple libxml2 Yes 2.6 Network High None None None Partial 11.3
CVE-2015-8241 Solaris Multiple libxml2 Yes 2.6 Network High None None None Partial 11.3
CVE-2015-8242 Solaris Multiple libxml2 Yes 2.6 Network High None None None Partial 11.3
CVE-2015-7498 Solaris Multiple libxml2 Yes 2.6 Network High None Partial None None 11.3
CVE-2015-5312 Solaris Multiple libxml2 Yes 2.6 Network High None None None Partial 11.3
CVE-2015-7499 Solaris Multiple libxml2 Yes 2.6 Network High None None None Partial 11.3
CVE-2015-7500 Solaris Multiple libxml2 Yes 2.6 Network High None None None Partial 11.3
CVE-2015-8317 Solaris Multiple libxml2 Yes 2.6 Network High None None None Partial 11.3
CVE-2015-7497 Solaris Multiple libxml2 No 2.1 Network High Single Partial None None 11.3
CVE-2015-6563 Solaris None OpenSSH No 1.9 Local Medium None None Partial None 11.3

Revision 1: Published on 2016-01-19

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-8704 Solaris Bind Bind No 6.8 Network Low Single None None Complete 11.3, 10
CVE-2015-3194 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.3, 10
CVE-2015-3195 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None Partial None None 11.3, 10
CVE-2015-3196 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None None None Partial 11.3, 10

Notes:

  1. This fix also addresses CVE-2016-1286.
  2. This fix also addresses CVE-2015-5345 CVE-2016-0706 CVE-2016-0714.
  3. This fix also addresses CVE-2015-5300 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8139 CVE-2015-8140 CVE-2015-8158.
  4. This fix also addresses CVE-2015-3210.
  5. This fix also addresses CVE-2013-6444.
  6. This fix also addresses CVE-2015-3143.
  7. This fix also addresses CVE-2015-3237.
  8. This fix also addresses CVE-2015-5351 CVE-2016-0763.
  9. This fix also addresses CVE-2014-3532 CVE-2014-3635 CVE-2015-0245.
  10. This fix also addresses CVE-2014-3532 CVE-2014-3635 CVE-2014-3637 CVE-2014-3638 CVE-2014-3639 CVE-2014-7824 CVE-2015-0245.
  11. This fix also addresses CVE-2014-3635 CVE-2015-0245.