Oracle Solaris Third Party Bulletin - April 2018


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 July 2018
  • 16 October 2018
  • 15 January 2019
  • 16 April 2019

References


Modification History

2018-May-15 Rev 2. Added all CVEs fixed in Solaris 11.3 SRU 32
2018-April-17 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 SRU 31

 

 

Oracle Solaris Executive Summary

 

This Oracle Solaris Bulletin contains 41 new security fixes for the Oracle Solaris Operating System.  26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

 


Revision 2: Published on 2018-05-15



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-7750 Solaris Python Modules Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.3  
CVE-2017-12883 Solaris Perl Multiple Yes 9.1 Network Low None None Un
changed
High None High 11.3  
CVE-2017-12837 Solaris Perl Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3  
CVE-2017-14746 Solaris Samba SMB No 6.3 Adjacent
Network
Low None None Un
changed
Low Low Low 11.3, 10 See
Note 17
CVE-2017-3738 Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Un
changed
High None None 11.3, 10 See
Note 16
CVE-2018-9256 Solaris Wireshark Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.3 See
Note 14
CVE-2018-1050 Solaris Samba SMB No 4.3 Adjacent
Network
Low None None Un
changed
None None Low 11.3 See
Note 19
CVE-2018-1312 Solaris Apache HTTP server HTTP Yes 4.2 Network High None Required Un
changed
Low Low None 11.3 See
Note 20
CVE-2018-7443 Solaris ImageMagick None No 3.3 Local Low None Required Un
changed
None None Low 11.3, 10 See
Note 15




Revision 1: Published on 2018-04-17



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-5379 Solaris Quagga Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.3, 10  
CVE-2016-1245 Solaris Quagga Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.3, 10  
CVE-2018-5146 Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2018-5125 Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3 See
Note 10
CVE-2017-1000158 Solaris Python Multiple Yes 8.1 Network High None None Un
changed
High High High 11.3, 10  
CVE-2017-16611 Solaris X.Org None No 7.8 Local Low None Required Un
changed
High High High 11.3 See
Note 11
CVE-2017-17784 Solaris Gimp None No 7.8 Local Low None Required Un
changed
High High High 11.3  
CVE-2017-17789 Solaris Gimp None No 7.8 Local Low None Required Un
changed
High High High 11.3  
CVE-2017-5581 Solaris VNC Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.3, 10  
CVE-2017-7392 Solaris VNC Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3, 10 See
Note 1
CVE-2017-11143 Solaris PHP Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3 See
Note 2
CVE-2018-2696 Solaris MySQL MySQL Protocol Yes 7.5 Network Low None None Un
changed
None None High 11.3 See
Note 12
CVE-2018-5381 Solaris Quagga Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3, 10  
CVE-2018-5130 Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.3 See
Note 9
CVE-2018-5148 Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.3  
CVE-2018-1000031 Solaris Unzip None No 7 Local High None Required Un
changed
High High High 11.3, 10 See
Note 3
CVE-2018-2562 Solaris MySQL MySQL Protocol No 6.5 Network Low Low None Un
changed
High None None 11.3 See
Note 13
CVE-2018-5712 Solaris PHP Multiple Yes 6.1 Network Low None Required Changed Low Low None 11.3 See
Note 5
CVE-2018-5378 Solaris Quagga Multiple No 5.9 Network High Low None Un
changed
Low None High 11.3, 10  
CVE-2018-5733 Solaris DHCP Server DHCP Yes 5.9 Network High None None Un
changed
None None High 11.3 See
Note 8
CVE-2018-7584 Solaris PHP Multiple Yes 5.9 Network High None None Un
changed
None None High 11.3  
CVE-2017-7890 Solaris PHP None No 5.5 Local Low None Required Un
changed
High None None 11.3  
CVE-2017-15706 Solaris Apache Tomcat HTTP Yes 5.3 Network Low None None Un
changed
None Low None 11.3, 10  
CVE-2018-7182 Solaris NTP NTP Yes 5.3 Network Low None None Un
changed
Low None None 11.3, 10  
CVE-2018-7170 Solaris NTP NTP No 5.3 Network High Low None Un
changed
None High None 11.3, 10  
CVE-2018-7183 Solaris NTP NTP Yes 5 Network High None Required Un
changed
Low Low Low 11.3, 10  
CVE-2018-1305 Solaris Apache Tomcat HTTP Yes 4.8 Network High None None Un
changed
Low Low None 11.3, 10 See
Note 6
CVE-2017-16227 Solaris Quagga Multiple No 4.3 Network Low Low None Un
changed
None None Low 11.3, 10  
CVE-2018-7050 Solaris Irssi Multiple Yes 3.7 Network High None None Un
changed
None None Low 11.3 See
Note 4
CVE-2018-7184 Solaris NTP NTP No 3.1 Network High Low None Un
changed
None None Low 11.3, 10  
CVE-2018-7185 Solaris NTP NTP No 3.1 Network High Low None Un
changed
None None Low 11.3, 10  
CVE-2017-16642 Solaris PHP None No 2.9 Local High None None Un
changed
Low None None 11.3 See
Note 7

 

Notes:

  1. This fix also addresses CVE-2017-7393 CVE-2017-7394 CVE-2017-7395 CVE-2017-7396.
  2. This fix also addresses CVE-2016-10397 CVE-2017-11142 CVE-2017-11144 CVE-2017-11145 CVE-2017-11146 CVE-2017-11147.
  3. This fix also addresses CVE-2015-1315 CVE-2018-1000032 CVE-2018-1000033 CVE-2018-1000034 CVE-2018-1000035.
  4. This fix also addresses CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054.
  5. This fix also addresses CVE-2018-1000007 CVE-2018-5711.
  6. This fix also addresses CVE-2018-1304.
  7. This fix also addresses CVE-2016-1283 CVE-2017-12932.
  8. This fix also addresses CVE-2018-5732.
  9. This fix also addresses CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5131 CVE-2018-5144 CVE-2018-5145.
  10. This fix also addresses CVE-2018-5127 CVE-2018-5129 CVE-2018-5144 CVE-2018-5145 CVE-2018-5146.
  11. This fix also addresses CVE-2017-16612.
  12. This fix also addresses CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2018-2562 CVE-2018-2573 CVE-2018-2583 CVE-2018-2590 CVE-2018-2591 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2645 CVE-2018-2647 CVE-2018-2665 CVE-2018-2668 CVE-2018-2696 CVE-2018-2703.
  13. This fix also addresses CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668.
  14. This fix also addresses CVE-2018-9257 CVE-2018-9258 CVE-2018-9259 CVE-2018-9260 CVE-2018-9261 CVE-2018-9262 CVE-2018-9263 CVE-2018-9264 CVE-2018-9265 CVE-2018-9266 CVE-2018-9267 CVE-2018-9268 CVE-2018-9269 CVE-2018-9270 CVE-2018-9271 CVE-2018-9272 CVE-2018-9273 CVE-2018-9274.
  15. This fix also addresses CVE-2017-18210 CVE-2017-18211 CVE-2018-6930 CVE-2018-7470.
  16. This fix also addresses CVE-2018-0733 CVE-2018-0739.
  17. This fix also addresses CVE-2017-15275.
  18. This fix also addresses CVE-2018-1057.
  19. This fix also addresses CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301 CVE-2018-1302 CVE-2018-1303.