Oracle Solaris Third Party Bulletin - July 2016

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 18 October 2016
  • 17 January 2017
  • 18 April 2017
  • 18 July 2017

References

Modification History

2017-April-10 Rev 6. Added CVE-2015-8959
2017-February-09 Rev 5. Added CVE-2016-1762
2016-September-28 Rev 4. Added all CVEs fixed in Solaris 11.3 SRU12.4 and OpenSSL CVEs
2016-September-02 Rev 3. Added new CVEs
2016-August-24 Rev 2. Added all CVEs fixed in Solaris 11.3 SRU11.6
2016-July-19 Rev 1. Initial Release

Oracle Solaris Executive Summary

This Third Party Bulletin contains 56 new security fixes for the Oracle Solaris.  45 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

Oracle Solaris Risk Matrix

Revision 4: Published on 2016-09-28

CVE# Product Protocol Third Party­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-6304SolarisSSL/TLSOpenSSLYes7.8NetworkLowNoneNoneNoneComplete11.3, 10 
CVE-2013-1511SolarisMultipleMySQLNo7.5NetworkMediumSinglePartialPartialComplete11.3See Note 15
CVE-2015-4752SolarisMultipleMySQLNo7.5NetworkMediumSinglePartialPartialComplete11.3See Note 17
CVE-2016-2182SolarisSSL/TLSOpenSSLYes7.5NetworkLowNonePartialPartialPartial11.3, 10 
CVE-2015-4756SolarisNoneMySQLNo7.2LocalLowNoneCompleteCompleteComplete11.3See Note 14
CVE-2014-9655SolarisMultipleLibTIFFYes5.8NetworkMediumNonePartialNonePartial11.3, 10See Note 16
CVE-2014-9330SolarisMultipleLibTIFFYes5.0NetworkLowNoneNoneNonePartial11.3, 10 
CVE-2016-6261SolarisMultipleLibidnYes5.0NetworkLowNoneNoneNonePartial11.3See Note 12
CVE-2016-2180SolarisSSL/TLSOpenSSLYes5.0NetworkLowNoneNoneNonePartial11.3, 10 
CVE-2016-2179SolarisSSL/TLSOpenSSLYes5.0NetworkLowNoneNoneNonePartial11.3, 10 
CVE-2016-2181SolarisSSL/TLSOpenSSLYes5.0NetworkLowNoneNoneNonePartial11.3, 10 
CVE-2016-6185SolarisNonePerlNo4.6LocalLowNonePartialPartialPartial11.3, 10 
CVE-2016-2775SolarisDNSBindYes4.3NetworkMediumNoneNoneNonePartial11.3, 10 
CVE-2016-6503SolarisMultipleWiresharkYes4.3NetworkMediumNoneNoneNonePartial11.3See Note 13
CVE-2016-6306SolarisSSL/TLSOpenSSLYes4.3NetworkMediumNoneNoneNonePartial11.3, 10 
CVE-2016-4428SolarisMultipleOpenStack HorizonNo3.5NetworkMediumSingleNonePartialNone11.3 

Revision 3: Published on 2016-09-02

CVE# Product Protocol Third Party­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-2521SolarisNoneWiresharkNo7.2LocalLowNoneCompleteCompleteComplete11.3See Note 11
CVE-2016-3717SolarisMultipleImageMagickYes7.1NetworkMediumNoneCompleteNoneNone11.3, 10 
CVE-2016-4562SolarisMultipleImageMagickYes6.8NetworkMediumNonePartialPartialPartial11.3, 10See Note 10
CVE-2016-3715SolarisMultipleImageMagickYes5.8NetworkMediumNoneNonePartialPartial11.3, 10 
CVE-2016-2381SolarisMultiplePerlYes5.0NetworkLowNoneNonePartialNone11.3 
CVE-2016-4006SolarisMultipleWiresharkYes4.3NetworkMediumNoneNoneNonePartial11.3See Note 9
CVE-2016-3716SolarisMultipleImageMagickYes4.3NetworkMediumNoneNonePartialNone11.3, 10 
CVE-2016-3718SolarisMultipleImageMagickYes4.3NetworkMediumNoneNonePartialNone11.3, 10 

Revision 2: Published on 2016-08-24

CVE# Product Protocol Third Party­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-3092SolarisMultipleApache TomcatYes7.8NetworkLowNoneNoneNoneComplete11.3 
CVE-2016-0718SolarisMultiplelibexpatYes7.5NetworkLowNonePartialPartialPartial11.3, 10 
CVE-2015-3228SolarisMultipleGhostscriptYes6.8NetworkMediumNonePartialPartialPartial11.3, 10 
CVE-2015-1283SolarisMultiplelibexpatYes6.8NetworkMediumNonePartialPartialPartial11.3, 10 
CVE-2016-1833SolarisMultiplelibxml2Yes6.8NetworkMediumNonePartialPartialPartial11.3, 10See Note 7
CVE-2016-5841SolarisMultipleImageMagickYes6.8NetworkMediumNonePartialPartialPartial11.3, 10See Note 6
CVE-2013-2561SolarisNoneOpenFabrics ibutilsNo6.3LocalMediumNoneNoneCompleteComplete11.3 
CVE-2016-6491SolarisMultipleImageMagickYes5.8NetworkMediumNonePartialNonePartial11.3, 10 
CVE-2016-3627SolarisMultiplelibxml2Yes5.0NetworkLowNoneNoneNonePartial11.3 
CVE-2016-6185SolarisNonePerlNo4.6LocalLowNonePartialPartialPartial11.3 
CVE-2016-4483SolarisMultiplelibxml2Yes4.3NetworkMediumNoneNoneNonePartial11.3 
CVE-2016-5355SolarisMultipleWiresharkYes4.3NetworkMediumNoneNoneNonePartial11.3See Note 8
CVE-2012-0876SolarisMultiplelibexpatYes4.3NetworkMediumNoneNoneNonePartial11.3See Note 3
CVE-2016-4971SolarisMultipleWgetYes4.3NetworkMediumNoneNonePartialNone11.3, 10 
CVE-2016-2177SolarisSSL/TLSWanBootYes4.3NetworkMediumNoneNoneNonePartial10See Note 2
CVE-2015-8934SolarisMultipleLibarchiveNo3.5NetworkMediumSinglePartialNoneNone11.3See Note 5
CVE-2015-7987SolarisDNSDNS ServiceYes2.6NetworkHighNoneNoneNonePartial11.3See Note 4

Revision 1: Published on 2016-07-19

CVE# Product Protocol Third Party­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-8540SolarisMultipleLibPNGYes9.3NetworkMediumNoneCompleteCompleteComplete11.3, 10 
CVE-2015-8126SolarisMultipleLibPNGYes7.5NetworkLowNonePartialPartialPartial11.3 
CVE-2015-7501SolarisMultipleApache Commons CollectionsYes7.5NetworkLowNonePartialPartialPartial11.3 
CVE-2016-2774SolarisDHCPDHCP ServerYes7.1NetworkMediumNoneNoneNoneComplete11.3 
CVE-2016-1541SolarisMultipleLibarchiveYes6.8NetworkMediumNonePartialPartialPartial11.3 
CVE-2016-5691SolarisMultipleImageMagickYes5.8NetworkMediumNoneNonePartialPartial11.3See Note 1
CVE-2016-0772SolarisMultiplePythonYes5.8NetworkMediumNonePartialPartialNone11.3 
CVE-2015-7981SolarisMultipleLibPNGYes5.0NetworkLowNonePartialNoneNone11.3 
CVE-2015-8853SolarisMultiplePerlYes5.0NetworkLowNoneNoneNonePartial10 
CVE-2016-5699SolarisMultiplePythonYes5.0NetworkLowNoneNonePartialNone11.3 
CVE-2016-5636SolarisNonePythonNo4.4LocalMediumNonePartialPartialPartial11.3 
CVE-2014-3566SolarisMultipleOpen Source Web Services Manager (OpenWSMan)Yes4.3NetworkMediumNonePartialNoneNone11.3 
CVE-2013-7447SolarisMultipleGTK+ ToolkitYes4.3NetworkMediumNoneNoneNonePartial11.3, 10 
CVE-2016-3189SolarisMultipleBZipYes4.3NetworkMediumNoneNoneNonePartial11.3, 10 
CVE-2015-8025SolarisNoneXScreenSaverNo2.1LocalLowNoneNonePartialNone11.3, 10 

Notes:

  1. This fix also addresses CVE-2016-5687 CVE-2016-5688 CVE-2016-5689 CVE-2016-5690.
  2. This fix also addresses CVE-2016-2178.
  3. This fix also addresses CVE-2016-5300.
  4. This fix also addresses CVE-2015-7988.
  5. This fix also addresses CVE-2016-4300 CVE-2016-4301 CVE-2016-4302 CVE-2016-5844.
  6. This fix also addresses CVE-2016-5842.
  7. This fix also addresses CVE-2015-8806 CVE-2016-1762 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-2073 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449.
  8. This fix also addresses CVE-2016-5350 CVE-2016-5351 CVE-2016-5352 CVE-2016-5353 CVE-2016-5354 CVE-2016-5356 CVE-2016-5357 CVE-2016-5358.
  9. This fix also addresses CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE-2016-4082.
  10. This fix also addresses CVE-2015-8959 CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 CVE-2016-4563 CVE-2016-4564 CVE-2016-5118.
  11. This fix also addresses CVE-2016-2530 CVE-2016-2531 CVE-2016-2532 CVE-2016-4417 CVE-2016-4418 CVE-2016-4421.
  12. This fix also addresses CVE-2015-8948 CVE-2016-6262 CVE-2016-6263.
  13. This fix also addresses CVE-2016-6504 CVE-2016-6505 CVE-2016-6506 CVE-2016-6507 CVE-2016-6508 CVE-2016-6509 CVE-2016-6510 CVE-2016-6511 CVE-2016-6512 CVE-2016-6513.
  14. This fix also addresses CVE-2014-3569 CVE-2015-0385 CVE-2015-0405 CVE-2015-0423 CVE-2015-0438 CVE-2015-0439 CVE-2015-0498 CVE-2015-0500 CVE-2015-0503 CVE-2015-0506 CVE-2015-0507 CVE-2015-0508 CVE-2015-0511 CVE-2015-2566 CVE-2015-2567 CVE-2015-2611 CVE-2015-2617 CVE-2015-2639 CVE-2015-2641 CVE-2015-2661 CVE-2015-4737 CVE-2015-4761 CVE-2015-4767 CVE-2015-4769 CVE-2015-4771 CVE-2015-4772.
  15. This fix also addresses CVE-2014-2432 CVE-2014-2440 CVE-2014-2494 CVE-2014-3569 CVE-2014-4243 CVE-2014-4260 CVE-2014-4287 CVE-2014-6464 CVE-2014-6484 CVE-2014-6494 CVE-2014-6496 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0385 CVE-2015-0391 CVE-2015-0405 CVE-2015-0423 CVE-2015-0432 CVE-2015-0433 CVE-2015-0438 CVE-2015-0439 CVE-2015-0498 CVE-2015-0499 CVE-2015-0500 CVE-2015-0503 CVE-2015-0505 CVE-2015-0506 CVE-2015-0507 CVE-2015-0508 CVE-2015-0511 CVE-2015-2566 CVE-2015-2567 CVE-2015-2611 CVE-2015-2617 CVE-2015-2639 CVE-2015-2641 CVE-2015-2661 CVE-2015-4737 CVE-2015-4756 CVE-2015-4761 CVE-2015-4767 CVE-2015-4769 CVE-2015-4771 CVE-2015-4772.
  16. This fix also addresses CVE-2015-1547.
  17. This fix also addresses CVE-2014-6464 CVE-2014-6469 CVE-2014-6491 CVE-2014-6494 CVE-2014-6496 CVE-2014-6500 CVE-2014-6507 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0411 CVE-2015-0432 CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2643 CVE-2015-2648.