No results found

Your search did not match any results.

Oracle Solaris Third Party Bulletin - January 2017

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 18 April 2017
  • 18 July 2017
  • 17 October 2017
  • 16 January 2018

References

Modification History

2017-March-28 Rev 4. Added all CVEs fixed in Solaris 11.3 SRU 18
2017-February-22 Rev 3. Added all CVEs fixed in Solaris 11.3 SRU 17
2017-January-26 Rev 2. Added Bind CVEs
2017-January-17 Rev 1. Initial Release

Oracle Solaris Executive Summary

This Third Party Bulletin contains 53 new security fixes for the Oracle Solaris.  44 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

Oracle Solaris Risk Matrix

Revision 4: Published on 2017-03-28

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid- entiality Inte- grity Avail- ability
CVE-2016-10196 Oracle Solaris LibEvent Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3 See Note 1
CVE-2016-4049 Oracle Solaris Quagga Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3, 10  
CVE-2016-8707 Oracle Solaris ImageMagick Multiple Yes 7.5 Network High None Required Unchanged High High High 11.3, 10 See Note 2
CVE-2017-5495 Oracle Solaris Quagga Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3, 10  
CVE-2017-5596 Oracle Solaris Wireshark Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3 See Note 3
CVE-2017-5390 Oracle Solaris Thunderbird Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 4
CVE-2016-8620 Oracle Solaris libcurl Multiple Yes 6.5 Network Low None None Unchanged Low Low None 11.3  
CVE-2016-9586 Oracle Solaris libcurl Multiple Yes 5.9 Network High None None Unchanged None None High 11.3  
CVE-2016-8615 Oracle Solaris libcurl Multiple Yes 5.3 Network Low None None Unchanged None Low None 11.3  
CVE-2016-8618 Oracle Solaris libcurl Multiple Yes 5.3 Network Low None None Unchanged None Low None 11.3  
CVE-2016-8619 Oracle Solaris libcurl Multiple Yes 5.3 Network Low None None Unchanged None Low None 11.3  
CVE-2016-8621 Oracle Solaris libcurl Multiple Yes 5.3 Network Low None None Unchanged Low None None 11.3  
CVE-2016-8624 Oracle Solaris libcurl Multiple Yes 5.3 Network Low None None Unchanged None Low None 11.3  
CVE-2016-8743 Oracle Solaris Apache HTTP server HTTP Yes 4 Network High None None Changed None Low None 11.3  
CVE-2016-8616 Oracle Solaris libcurl Multiple Yes 3.7 Network High None None Unchanged None Low None 11.3  
CVE-2016-8622 Oracle Solaris libcurl Multiple Yes 3.7 Network High None None Unchanged None Low None 11.3  
CVE-2016-8617 Oracle Solaris libcurl None No 3.3 Local Low Low None Unchanged None Low None 11.3  
CVE-2016-8623 Oracle Solaris libcurl None No 3.3 Local Low Low None Unchanged Low None None 11.3  

Revision 3: Published on 2017-02-22

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid- entiality Inte- grity Avail- ability
CVE-2016-3191 Oracle Solaris PCRE Multiple Yes 9.8 Network Low None None Unchanged High High High 11.3  
CVE-2016-10003 Oracle Solaris Squid Multiple Yes 9.4 Network Low None None Unchanged High High Low 11.3 See Note 5
CVE-2015-7674 Oracle Solaris gdk-pixbuf Multiple Yes 7.6 Network Low None Required Unchanged Low Low High 11.3, 10  
CVE-2016-8743 Oracle Solaris Apache HTTP server HTTP Yes 7.5 Network Low None None Unchanged None None High 11.3, 10 See Note 6
CVE-2016-9899 Oracle Solaris Thunderbird Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 7
CVE-2017-5390 Oracle Solaris Firefox Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 8
CVE-2016-2125 Oracle Solaris SMB Multiple No 6.6 Network High High None Changed High Low None 11.3, 10 See Note 9
CVE-2013-7447 Oracle Solaris GTK+ Multiple Yes 6.5 Network Low None Required Unchanged None None High 11.3  
CVE-2015-8875 Oracle Solaris gdk-pixbuf Multiple Yes 6.3 Network Low None Required Unchanged Low Low Low 11.3, 10 See Note 10
CVE-2016-8740 Oracle Solaris Apache HTTP server HTTP Yes 5.9 Network High None None Unchanged None None High 11.3, 10  
CVE-2017-3731 Oracle Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Unchanged None None High 11.3, 10  
CVE-2017-3732 Oracle Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Unchanged High None None 11.3, 10  
CVE-2016-9401 Oracle Solaris Bash None No 5.5 Local Low Low None Unchanged None High None 11.3  
CVE-2016-10168 Oracle Solaris GD2 Graphics Draw Library Multiple Yes 5.3 Network Low None None Unchanged None None Low 11.3 See Note 11
CVE-2016-7799 Oracle Solaris ImageMagick None No 5.1 Local Low None None Unchanged Low None Low 11.3, 10 See Note 12
CVE-2016-7543 Oracle Solaris Bash None No 4.9 Local High None None Unchanged Low Low Low 11.3, 10 See Note 13
CVE-2016-7055 Oracle Solaris OpenSSL SSL/TLS Yes 3.7 Network High None None Unchanged None None Low 11.3, 10  
CVE-2016-9844 Oracle Solaris Zipinfo None No 3.3 Local Low None Required Unchanged None None Low 11.3  

Revision 2: Published on 2017-01-26

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid- entiality Inte- grity Avail- ability
CVE-2016-9131 Oracle Solaris Bind DNS Yes 7.5 Network Low None None Unchanged None None High 11.3, 10 See Note 14

Revision 1: Published on 2017-01-17

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid- entiality Inte- grity Avail- ability
CVE-2016-8704 Oracle Solaris Memcached Multiple Yes 9.8 Network Low None None Unchanged High High High 11.3 See Note 15
CVE-2016-5276 Oracle Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Unchanged High High High 11.3 See Note 16
CVE-2016-3427 Oracle Solaris Apache Tomcat Version 8 Multiple Yes 8.1 Network High None None Unchanged High High High 11.3, 10 See Note 17
CVE-2016-3427 Oracle Solaris Apache Tomcat Version 6 Multiple Yes 8.1 Network High None None Unchanged High High High 11.3, 10 See Note 18
CVE-2016-4994 Oracle Solaris Gimp None No 7.8 Local Low None Required Unchanged High High High 11.3  
CVE-2016-9079 Oracle Solaris Firefox Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3  
CVE-2016-9079 Oracle Solaris Thunderbird Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3  
CVE-2016-9899 Oracle Solaris Firefox Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 19
CVE-2016-9372 Oracle Solaris Wireshark Multiple Yes 5.9 Network High None None Unchanged None None High 11.3  
CVE-2016-9373 Oracle Solaris Wireshark Multiple Yes 5.9 Network High None None Unchanged None None High 11.3  
CVE-2016-9374 Oracle Solaris Wireshark Multiple Yes 5.9 Network High None None Unchanged None None High 11.3  
CVE-2016-9375 Oracle Solaris Wireshark Multiple Yes 5.9 Network High None None Unchanged None None High 11.3  
CVE-2016-9376 Oracle Solaris Wireshark Multiple Yes 5.9 Network High None None Unchanged None None High 11.3  
CVE-2016-8745 Oracle Solaris Apache Tomcat Version 8 Multiple Yes 5.9 Network High None None Unchanged High None None 11.3, 10  
CVE-2014-0016 Oracle Solaris Stunnel Multiple Yes 5.3 Network Low None None Unchanged Low None None 11.3  
CVE-2014-1624 Oracle Solaris Python-xdg None No 4 Local High None None Unchanged None Low Low 11.3  

Notes:

  1. This fix also addresses CVE-2016-10195 CVE-2016-10197.
  2. This fix also addresses CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 CVE-2017-5507 CVE-2017-5508 CVE-2017-5509 CVE-2017-5510 CVE-2017-5511.
  3. This fix also addresses CVE-2017-5597.
  4. This fix also addresses CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5396.
  5. This fix also addresses CVE-2016-10002.
  6. This fix also addresses CVE-2016-0736 CVE-2016-2161.
  7. This fix also addresses CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9900 CVE-2016-9904 CVE-2016-9905.
  8. This fix also addresses CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5396.
  9. This fix also addresses CVE-2016-2123 CVE-2016-2126.
  10. This fix also addresses CVE-2015-7674.
  11. This fix also addresses CVE-2016-10167.
  12. This fix also addresses CVE-2016-7906 CVE-2016-8862 CVE-2016-9298 CVE-2016-9556 CVE-2016-9559.
  13. This fix also addresses CVE-2016-0634.
  14. This fix also addresses CVE-2016-9147 CVE-2016-9444.
  15. This fix also addresses CVE-2016-8705 CVE-2016-8706.
  16. This fix also addresses CVE-2016-5250 CVE-2016-5257 CVE-2016-5270 CVE-2016-5272 CVE-2016-5274 CVE-2016-5277 CVE-2016-5278 CVE-2016-5280 CVE-2016-5284 CVE-2016-5290 CVE-2016-5291 CVE-2016-5294 CVE-2016-5296 CVE-2016-5297 CVE-2016-9066 CVE-2016-9074.
  17. This fix also addresses CVE-2016-6816 CVE-2016-6817 CVE-2016-8735.
  18. This fix also addresses CVE-2016-6816 CVE-2016-8735.
  19. This fix also addresses CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905.