We’re sorry. We could not find a match for your search.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try "application" instead of "software."
  • Start a new search.
Cloud Account Sign in to Cloud
Oracle Account

Oracle Solaris Third Party Bulletin - October 2022

 

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.

 

Patch Availability

Please see My Oracle Support Note 1448883.1

 

Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 17 January 2023
  • 18 April 2023
  • 18 July 2023
  • 17 October 2023

References

 

Modification History

Date Note
2022-December-20 Rev 3. Added CVEs fixed in Solaris 11.4 SRU 52
2022-November-15 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 51
2022-October-18 Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 50 and Solaris 11.3 ESU 36.30

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 56 new security patches for the Oracle Solaris Operating System.  41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2022-12-20

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-35256 Oracle Solaris Node.js HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 1
CVE-2022-37454 Oracle Solaris Python HTTPS Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-37454 Oracle Solaris PHP HTTPS Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-43548 Oracle Solaris Node.js HTTP Yes 8.1 Network High None None Un
changed
High High High 11.4 See
Note 2
CVE-2015-20107 Oracle Solaris Python HTTP No 7.6 Network Low Low None Un
changed
Low High Low 11.4  
CVE-2022-41323 Oracle Solaris Django HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2022-42252 Oracle Solaris Apache Tomcat HTTP Yes 7.5 Network Low None None Un
changed
None High None 11.4  
CVE-2022-42927 Oracle Solaris Firefox HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 3
CVE-2022-42927 Oracle Solaris Thunderbird HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 4
CVE-2022-45403 Oracle Solaris Firefox HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 5
CVE-2022-45403 Oracle Solaris Thunderbird HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 6
CVE-2022-31630 Oracle Solaris PHP None No 7.1 Local Low None Required Un
changed
High None High 11.4 See
Note 7
CVE-2022-3597 Oracle Solaris LibTIFF HTTP Yes 6.5 Network Low None Required Un
changed
None None High 11.4 See
Note 8
CVE-2022-3570 Oracle Solaris LibTIFF None No 5.5 Local Low None Required Un
changed
None None High 11.4  
CVE-2022-21628 Oracle Solaris JDK 8 HTTP Yes 5.3 Network Low None None Un
changed
None None Low 11.4  

Revision 2: Published on 2022-11-15

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-2207 Oracle Solaris VIM HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 9
CVE-2022-23901 Oracle Solaris re2c HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-27404 Oracle Solaris FreeType HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 10
CVE-2022-40674 Oracle Solaris libexpat HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-2867 Oracle Solaris LibTIFF HTTP Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 11
CVE-2022-1920 Oracle Solaris GStreamer None No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 12
CVE-2022-2125 Oracle Solaris VIM None No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 13
CVE-2022-24765 Oracle Solaris Git None No 7.8 Local Low Low None Un
changed
High High High 11.4 See
Note 14
CVE-2022-26981 Oracle Solaris Liblouis None No 7.8 Local Low None Required Un
changed
High High High 11.4  
CVE-2020-10735 Oracle Solaris Python HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2022-24070 Oracle Solaris Apache Subversion HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 15
CVE-2022-3602 Oracle Solaris OpenSSL SSL/TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2022-3786 Oracle Solaris OpenSSL SSL/TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2022-29154 Oracle Solaris RSYNC HTTP Yes 7.4 Network High None None Un
changed
None High High 11.4 See
Note 16
CVE-2022-29458 Oracle Solaris Ncurses None No 7.1 Local Low None Required Un
changed
High None High 11.4  
CVE-2021-37750 Oracle Solaris Kerberos HTTP No 6.5 Network Low Low None Un
changed
None None High 11.4  
CVE-2021-46823 Oracle Solaris Ldap Client Library For Python HTTP No 6.5 Network Low Low None Un
changed
None None High 11.4  
CVE-2022-1348 Oracle Solaris Rotates And Compresses Log Files HTTP No 6.5 Network Low Low None Un
changed
None None High 11.4  
CVE-2022-2056 Oracle Solaris LibTIFF HTTP Yes 6.5 Network Low None Required Un
changed
None None High 11.4 See
Note 17
CVE-2022-36087 Oracle Solaris Oauth Request Signing HTTP Yes 6.5 Network Low None Required Un
changed
None None High 11.4  
CVE-2021-42574 Oracle Solaris Rust None No 6.3 Local High Low None Un
changed
None High High 11.4 See
Note 18
CVE-2022-3032 Oracle Solaris Thunderbird HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.4 See
Note 19
CVE-2022-40956 Oracle Solaris Firefox HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.4 See
Note 20
CVE-2022-3190 Oracle Solaris Wireshark None No 5.5 Local Low None Required Un
changed
None None High 11.4  
CVE-2022-21628 Oracle Solaris JDK 8 HTTP Yes 5.3 Network Low None None Un
changed
None None Low 11.4  

Revision 1: Published on 2022-10-18

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-1292 Oracle Solaris OpenSSL HTTPS Yes 9.8 Network Low None None Un
changed
High High High 11.4, 11.3, 10 See
Note 21
CVE-2022-2274 Oracle Solaris OpenSSL TLS Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-31627 Oracle Solaris PHP HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-37434 Oracle Solaris zlib HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2022-31626 Oracle Solaris PHP HTTP No 8.8 Network Low Low None Un
changed
High High High 11.4 See
Note 22
CVE-2022-36359 Oracle Solaris Django HTTP Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2022-2881 Oracle Solaris BIND HTTP Yes 8.2 Network Low None None Un
changed
Low None High 11.4, 10 See
Note 23
CVE-2020-28196 Oracle Solaris Kerberos HTTPS Yes 7.5 Network Low None None Un
changed
None None High 11.3  
CVE-2022-29885 Oracle Solaris Apache Tomcat HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 24
CVE-2022-34484 Oracle Solaris Thunderbird HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 25
CVE-2022-2509 Oracle Solaris GnuTLS SSL/TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2022-38472 Oracle Solaris Firefox HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 26
CVE-2022-38472 Oracle Solaris Thunderbird HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 27
CVE-2022-36318 Oracle Solaris Firefox HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.4 See
Note 28
CVE-2022-26373 Oracle Solaris Zones None No 5.5 Local Low Low None Un
changed
High None None 11.4  
CVE-2022-2097 Oracle Solaris OpenSSL SSL/TLS Yes 5.3 Network Low None None Un
changed
Low None None 11.4  

Notes:

1. This patch also addresses CVE-2018-7160 CVE-2022-32212 CVE-2022-32213 CVE-2022-32215 CVE-2022-32222 CVE-2022-35255.

2. This patch also addresses CVE-2022-3602 CVE-2022-3786.

3. This patch also addresses CVE-2022-42928 CVE-2022-42929 CVE-2022-42932.

4. This patch also addresses CVE-2022-42928 CVE-2022-42929 CVE-2022-42932.

5. This patch also addresses CVE-2022-40674 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45407 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45413 CVE-2022-45415 CVE-2022-45416 CVE-2022-45417 CVE-2022-45418 CVE-2022-45419 CVE-2022-45420 CVE-2022-45421.

6. This patch also addresses CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420 CVE-2022-45421.

7. This patch also addresses CVE-2022-31628 CVE-2022-31629.

8. This patch also addresses CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627.

9. This patch also addresses CVE-2022-2206 CVE-2022-2208 CVE-2022-2210 CVE-2022-2231 CVE-2022-2264 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2288 CVE-2022-2289 CVE-2022-2304 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-2522 CVE-2022-2571 CVE-2022-2580 CVE-2022-2581 CVE-2022-2598.

10. This patch also addresses CVE-2022-27405 CVE-2022-27406.

11. This patch also addresses CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-1056 CVE-2022-22844 CVE-2022-2868 CVE-2022-2869 CVE-2022-34526.

12. This patch also addresses CVE-2022-1921 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122.

13. This patch also addresses CVE-2022-2175 CVE-2022-2183.

14. This patch also addresses CVE-2022-29187.

15. This patch also addresses CVE-2021-28544.

16. This patch also addresses CVE-2019-6111.

17. This patch also addresses CVE-2022-2057 CVE-2022-2058 CVE-2022-34526.

18. This patch also addresses CVE-2021-42694 CVE-2022-21658.

19. This patch also addresses CVE-2022-3033 CVE-2022-3034 CVE-2022-3155 CVE-2022-36059 CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962.

20. This patch also addresses CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962.

21. This patch also addresses CVE-2022-2068.

22. This patch also addresses CVE-2022-31625.

23. This patch also addresses CVE-2022-2795 CVE-2022-2906 CVE-2022-3080 CVE-2022-38177 CVE-2022-38178.

24. This patch also addresses CVE-2022-34305.

25. This patch also addresses CVE-2022-2226 CVE-2022-31744 CVE-2022-34468 CVE-2022-34470 CVE-2022-34472 CVE-2022-34478 CVE-2022-34479 CVE-2022-34481 CVE-2022-34484 CVE-2022-36318 CVE-2022-36319.

26. This patch also addresses CVE-2022-38473 CVE-2022-38478.

27. This patch also addresses CVE-2022-38473 CVE-2022-38478.

28. This patch also addresses CVE-2022-36319.