Oracle Solaris Third Party Bulletin - July 2024


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 15 October 2024
  • 21 January 2025
  • 15 April 2025
  • 15 July 2025

References


Modification History

Date Note
2024-August-20 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 72
2024-July-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 71

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 52 new security patches for the Oracle Solaris Operating System.  31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 2: Published on 2024-08-20

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-32744 Oracle Solaris Samba SMB No 8.8 Network Low Low None Un
changed
High High High 11.4 See
Note 1
CVE-2024-25111 Oracle Solaris Squid HTTP Yes 8.6 Network Low None None Changed None None High 11.4  
CVE-2024-22667 Oracle Solaris VIM None No 8.4 Local Low None None Un
changed
High High High 11.4  
CVE-2024-32487 Oracle Solaris less None No 8.2 Local Low Low Required Changed High High High 11.4  
CVE-2024-31080 Oracle Solaris X.Org None No 7.8 Local Low Low None Un
changed
High High High 11.4 See
Note 2
CVE-2024-39331 Oracle Solaris GNU Emacs None No 7.8 Local Low None Required Un
changed
High High High 11.4  
CVE-2024-4453 Oracle Solaris GStreamer None No 7.8 Local Low None Required Un
changed
High High High 11.4  
CVE-2024-5197 Oracle Solaris libvpx None No 7.8 Local Low Low None Un
changed
High High High 11.4  
CVE-2024-2004 Oracle Solaris libcurl HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 3
CVE-2024-24787 Oracle Solaris Go Programming Language HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 4
CVE-2024-25580 Oracle Solaris Qt HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 5
CVE-2024-28757 Oracle Solaris libexpat HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-3205 Oracle Solaris libyaml HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2023-0361 Oracle Solaris GnuTLS TLS Yes 7.4 Network High None None Un
changed
High High None 11.4  
CVE-2024-21147 Oracle Solaris JDK 8 Multiple Yes 7.4 Network High None None Un
changed
High High None 11.4  
CVE-2024-30202 Oracle Solaris GNU Emacs None No 7.3 Local Low None Required Un
changed
High High Low 11.4 See
Note 6
CVE-2023-38497 Oracle Solaris Rust None No 6.7 Local High Low Required Un
changed
High High High 11.4  
CVE-2021-4209 Oracle Solaris GnuTLS TLS No 6.5 Network Low Low None Un
changed
None None High 11.4  
CVE-2023-5388 Oracle Solaris Netscape Security Services HTTPS No 6.5 Network Low Low None Un
changed
High None None 11.4  
CVE-2023-45918 Oracle Solaris Ncurses None No 6.2 Local Low None None Un
changed
None None High 11.4  
CVE-2024-24790 Oracle Solaris Go Programming Language None No 6.2 Local High None None Un
changed
Low High Low 11.4 See
Note 7
CVE-2023-40030 Oracle Solaris Rust HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.4  
CVE-2023-5981 Oracle Solaris GnuTLS TLS Yes 5.9 Network High None None Un
changed
High None None 11.4  
CVE-2024-0553 Oracle Solaris GnuTLS TLS Yes 5.9 Network High None None Un
changed
High None None 11.4 See
Note 8
CVE-2024-0567 Oracle Solaris GnuTLS TLS Yes 5.9 Network High None None Un
changed
None None High 11.4  
CVE-2024-26306 Oracle Solaris iPerf HTTPS Yes 5.9 Network High None None Un
changed
High None None 11.4  
CVE-2024-35195 Oracle Solaris Requests None No 5.6 Local High High Required Un
changed
High High None 11.4  
CVE-2024-4741 Oracle Solaris OpenSSL TLS Yes 5.6 Network High None None Un
changed
Low Low Low 11.4  
CVE-2022-0529 Oracle Solaris Unzip None No 5.5 Local Low None Required Un
changed
None None High 11.4 See
Note 9
CVE-2023-52722 Oracle Solaris Ghostscript None No 5.5 Local Low None Required Un
changed
High None None 11.4 See
Note 10
CVE-2024-28182 Oracle Solaris Nghttp2 HTTP/2 Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2024-28834 Oracle Solaris GnuTLS TLS No 5.3 Network High Low None Un
changed
High None None 11.4 See
Note 11
CVE-2024-4603 Oracle Solaris OpenSSL TLS Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2023-46045 Oracle Solaris Graphviz None No 4.2 Local Low High Required Un
changed
None None High 11.4  
CVE-2019-13232 Oracle Solaris Unzip None No 4 Local Low None None Un
changed
None None Low 11.4  
CVE-2024-2511 Oracle Solaris OpenSSL TLS Yes 3.7 Network High None None Un
changed
None None Low 11.4  
CVE-2024-39894 Oracle Solaris OpenSSH SSH Yes 3.1 Network High None Required Un
changed
Low None None 11.4  

Revision 1: Published on 2024-07-16

CVE ID Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-37920 Oracle Solaris Certifi Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2024-4577 Oracle Solaris PHP HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 12
CVE-2024-2756 Oracle Solaris PHP HTTP Yes 8.3 Network Low None Required Un
changed
High High Low 11.4 See
Note 13
CVE-2024-27316 Oracle Solaris Apache HTTP server HTTP/2 Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-27351 Oracle Solaris Django HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-2757 Oracle Solaris PHP HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2024-32004 Oracle Solaris Git HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 14
CVE-2024-37407 Oracle Solaris Libarchive HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 15
CVE-2024-5688 Oracle Solaris Thunderbird Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 16
CVE-2024-5688 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 17
CVE-2023-38709 Oracle Solaris Apache HTTP server HTTP Yes 6.8 Network High None None Changed None High None 11.4 See
Note 18
CVE-2024-1931 Oracle Solaris Unbound DNS Yes 5.9 Network High None None Un
changed
None None High 11.4  
CVE-2024-0911 Oracle Solaris GNU Indent None No 5.5 Local Low Low None Un
changed
None None High 11.4  
CVE-2024-34064 Oracle Solaris Jinja HTTP Yes 5.4 Network Low None Required Un
changed
Low Low None 11.4  
CVE-2024-43168 Oracle Solaris Unbound None No 4.8 Local Low Low Required Un
changed
Low Low Low 11.4  

Notes:

1. This patch also addresses CVE-2021-20251 CVE-2021-44141 CVE-2022-32742 CVE-2022-32745 CVE-2022-32746 CVE-2022-37966 CVE-2022-38023 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968 CVE-2023-4091.

2. This patch also addresses CVE-2024-31081 CVE-2024-31082 CVE-2024-31083.

3. This patch also addresses CVE-2024-2379 CVE-2024-2398 CVE-2024-2466.

4. This patch also addresses CVE-2024-24788.

5. This patch also addresses CVE-2023-51714 CVE-2024-30161.

6. This patch also addresses CVE-2024-30203 CVE-2024-30204 CVE-2024-30205.

7. This patch also addresses CVE-2024-24789.

8. This patch also addresses CVE-2023-5981.

9. This patch also addresses CVE-2022-0530.

10. This patch also addresses CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871.

11. This patch also addresses CVE-2024-28835.

12. This patch also addresses CVE-2024-1874 CVE-2024-2408 CVE-2024-4577 CVE-2024-5458 CVE-2024-5585.

13. This patch also addresses CVE-2022-31629 CVE-2024-3096.

14. This patch also addresses CVE-2024-32002 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465.

15. This patch also addresses CVE-2024-20697 CVE-2024-26256.

16. This patch also addresses CVE-2024-5691 CVE-2024-5692 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702.

17. This patch also addresses CVE-2024-5690 CVE-2024-5691 CVE-2024-5692 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702.

18. This patch also addresses CVE-2024-24795.