Oracle Solaris Third Party Bulletin - January 2017


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 18 April 2017
  • 18 July 2017
  • 17 October 2017
  • 16 January 2018

References


Modification History


2017-March-28 Rev 4. Added all CVEs fixed in Solaris 11.3 SRU 18
2017-February-22 Rev 3. Added all CVEs fixed in Solaris 11.3 SRU 17
2017-January-26 Rev 2. Added Bind CVEs
2017-January-17 Rev 1. Initial Release

 

 

Oracle Solaris Executive Summary

 

This Third Party Bulletin contains 53 new security fixes for the Oracle Solaris.  44 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Risk Matrix


Revision 4: Published on 2017-03-28



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-10196 Solaris LibEvent Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3 See
Note 20
CVE-2016-4049 Solaris Quagga Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3, 10  
CVE-2016-8707 Solaris ImageMagick Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.3, 10 See
Note 16
CVE-2017-5495 Solaris Quagga Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3, 10  
CVE-2017-5596 Solaris Wireshark Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3 See
Note 19
CVE-2017-5390 Solaris Thunderbird Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.3 See
Note 17
CVE-2016-8620 Solaris libcurl Multiple Yes 6.5 Network Low None None Un
changed
Low Low None 11.3  
CVE-2016-9586 Solaris libcurl Multiple Yes 5.9 Network High None None Un
changed
None None High 11.3  
CVE-2016-8615 Solaris libcurl Multiple Yes 5.3 Network Low None None Un
changed
None Low None 11.3  
CVE-2016-8618 Solaris libcurl Multiple Yes 5.3 Network Low None None Un
changed
None Low None 11.3  
CVE-2016-8619 Solaris libcurl Multiple Yes 5.3 Network Low None None Un
changed
None Low None 11.3  
CVE-2016-8621 Solaris libcurl Multiple Yes 5.3 Network Low None None Un
changed
Low None None 11.3  
CVE-2016-8624 Solaris libcurl Multiple Yes 5.3 Network Low None None Un
changed
None Low None 11.3  
CVE-2016-8743 Solaris Apache HTTP server HTTP Yes 4 Network High None None Changed None Low None 11.3  
CVE-2016-8616 Solaris libcurl Multiple Yes 3.7 Network High None None Un
changed
None Low None 11.3  
CVE-2016-8622 Solaris libcurl Multiple Yes 3.7 Network High None None Un
changed
None Low None 11.3  
CVE-2016-8617 Solaris libcurl None No 3.3 Local Low Low None Un
changed
None Low None 11.3  
CVE-2016-8623 Solaris libcurl None No 3.3 Local Low Low None Un
changed
Low None None 11.3  


Revision 3: Published on 2017-02-22



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3191 Solaris PCRE Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.3  
CVE-2016-10003 Solaris Squid Multiple Yes 9.4 Network Low None None Un
changed
High High Low 11.3 See
Note 15
CVE-2015-7674 Solaris gdk-pixbuf Multiple Yes 7.6 Network Low None Required Un
changed
Low Low High 11.3, 10  
CVE-2016-8743 Solaris Apache HTTP server HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.3, 10 See
Note 9
CVE-2016-9899 Solaris Thunderbird Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.3 See
Note 10
CVE-2017-5390 Solaris Firefox Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.3 See
Note 13
CVE-2016-2125 Solaris SMB Multiple No 6.6 Network High High None Changed High Low None 11.3, 10 See
Note 11
CVE-2013-7447 Solaris GTK+ Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.3  
CVE-2015-8875 Solaris gdk-pixbuf Multiple Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.3, 10 See
Note 7
CVE-2016-8740 Solaris Apache HTTP server HTTP Yes 5.9 Network High None None Un
changed
None None High 11.3, 10  
CVE-2017-3731 Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Un
changed
None None High 11.3, 10  
CVE-2017-3732 Solaris OpenSSL SSL/TLS Yes 5.9 Network High None None Un
changed
High None None 11.3, 10  
CVE-2016-9401 Solaris Bash None No 5.5 Local Low Low None Un
changed
None High None 11.3  
CVE-2016-10168 Solaris GD2 Graphics Draw Library Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.3 See
Note 14
CVE-2016-7799 Solaris ImageMagick None No 5.1 Local Low None None Un
changed
Low None Low 11.3, 10 See
Note 12
CVE-2016-7543 Solaris Bash None No 4.9 Local High None None Un
changed
Low Low Low 11.3, 10 See
Note 8
CVE-2016-7055 Solaris OpenSSL SSL/TLS Yes 3.7 Network High None None Un
changed
None None Low 11.3, 10  
CVE-2016-9844 Solaris Zipinfo None No 3.3 Local Low None Required Un
changed
None None Low 11.3  


Revision 2: Published on 2017-01-26



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-9131 Solaris Bind DNS Yes 7.5 Network Low None None Un
changed
None None High 11.3, 10 See
Note 6




Revision 1: Published on 2017-01-17



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-8704 Solaris Memcached Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.3 See
Note 5
CVE-2016-5276 Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3 See
Note 4
CVE-2016-3427 Solaris Apache Tomcat
Version 8
Multiple Yes 8.1 Network High None None Un
changed
High High High 11.3, 10 See
Note 2
CVE-2016-3427 Solaris Apache Tomcat
Version 6
Multiple Yes 8.1 Network High None None Un
changed
High High High 11.3, 10 See
Note 3
CVE-2016-4994 Solaris Gimp None No 7.8 Local Low None Required Un
changed
High High High 11.3  
CVE-2016-9079 Solaris Firefox Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.3  
CVE-2016-9079 Solaris Thunderbird Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.3  
CVE-2016-9899 Solaris Firefox Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.3 See
Note 1
CVE-2016-9372 Solaris Wireshark Multiple Yes 5.9 Network High None None Un
changed
None None High 11.3  
CVE-2016-9373 Solaris Wireshark Multiple Yes 5.9 Network High None None Un
changed
None None High 11.3  
CVE-2016-9374 Solaris Wireshark Multiple Yes 5.9 Network High None None Un
changed
None None High 11.3  
CVE-2016-9375 Solaris Wireshark Multiple Yes 5.9 Network High None None Un
changed
None None High 11.3  
CVE-2016-9376 Solaris Wireshark Multiple Yes 5.9 Network High None None Un
changed
None None High 11.3  
CVE-2016-8745 Solaris Apache Tomcat
Version 8
Multiple Yes 5.9 Network High None None Un
changed
High None None 11.3, 10  
CVE-2014-0016 Solaris STUNNEL Multiple Yes 5.3 Network Low None None Un
changed
Low None None 11.3  
CVE-2014-1624 Solaris Python-xdg None No 4 Local High None None Un
changed
None Low Low 11.3  

 

Notes:

  1. This fix also addresses CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905.
  2. This fix also addresses CVE-2016-6816 CVE-2016-6817 CVE-2016-8735.
  3. This fix also addresses CVE-2016-6816 CVE-2016-8735.
  4. This fix also addresses CVE-2016-5250 CVE-2016-5257 CVE-2016-5270 CVE-2016-5272 CVE-2016-5274 CVE-2016-5277 CVE-2016-5278 CVE-2016-5280 CVE-2016-5284 CVE-2016-5290 CVE-2016-5291 CVE-2016-5294 CVE-2016-5296 CVE-2016-5297 CVE-2016-9066 CVE-2016-9074.
  5. This fix also addresses CVE-2016-8705 CVE-2016-8706.
  6. This fix also addresses CVE-2016-9147 CVE-2016-9444.
  7. This fix also addresses CVE-2015-7674.
  8. This fix also addresses CVE-2016-0634.
  9. This fix also addresses CVE-2016-0736 CVE-2016-2161.
  10. This fix also addresses CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9900 CVE-2016-9904 CVE-2016-9905.
  11. This fix also addresses CVE-2016-2123 CVE-2016-2126.
  12. This fix also addresses CVE-2016-7906 CVE-2016-8862 CVE-2016-9298 CVE-2016-9556 CVE-2016-9559.
  13. This fix also addresses CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5396.
  14. This fix also addresses CVE-2016-10167.
  15. This fix also addresses CVE-2016-10002.
  16. This fix also addresses CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 CVE-2017-5507 CVE-2017-5508 CVE-2017-5509 CVE-2017-5510 CVE-2017-5511.
  17. This fix also addresses CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5396.
  18. This fix also addresses CVE-2017-5597.
  19. This fix also addresses CVE-2016-10195 CVE-2016-10197.