Oracle Solaris Third Party Bulletin - January 2019


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 16 April 2019
  • 16 July 2019
  • 15 October 2019
  • 14 January 2020

References


Modification History

2019-April-16 Rev 4. Updated CVE-2018-17183 and CVE-2018-15909 fixed in Solaris 11.3 LSU 36.10
2019-March-19 Rev 3. Added CVEs fixed in Solaris 11.4 SRU 7
2019-February-19 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 6
2019-January-15 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.7 and Solaris 11.4 SRU 5

 

 

Oracle Solaris Executive Summary

 

This Oracle Solaris Bulletin contains 64 new security fixes for the Oracle Solaris Operating System.  40 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

 


Revision 3: Published on 2019-03-19



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-16375 Oracle Solaris OpenJPEG Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2018-18356 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 1
CVE-2019-6486 Oracle Solaris Go Programming Language Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2018-4464 Oracle Solaris WebKitGTK+ Multiple Yes 7.1 Network High None Required Un
changed
High High Low 11.4 See
Note 2
CVE-2019-3823 Oracle Solaris libcurl Multiple Yes 7.1 Network Low None Required Un
changed
None Low High 11.4 See
Note 3
CVE-2017-1000115 Oracle Solaris Mercurial Multiple Yes 6.5 Network Low None None Un
changed
Low Low None 11.4 See
Note 4
CVE-2018-1060 Oracle Solaris Python Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4 See
Note 5
CVE-2018-1060 Oracle Solaris Python Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4 See
Note 6
CVE-2017-17458 Oracle Solaris Mercurial Multiple Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.4  
CVE-2018-20482 Oracle Solaris GNU tar None No 5.5 Local Low None Required Un
changed
None None High 11.4, 10  
CVE-2017-15107 Oracle Solaris DNSmasq Multiple Yes 5.4 Network High None None Changed None Low Low 11.4  
CVE-2018-20684 Oracle Solaris OpenSSH Multiple Yes 5.3 Network High None Required Un
changed
None High None 11.4 See
Note 7
CVE-2018-20685 Oracle Solaris RCP Multiple Yes 5.3 Network High None Required Un
changed
None High None 11.4, 10  
CVE-2018-0495 Oracle Solaris Netscape Security Services None No 5.1 Local High None None Un
changed
High None None 11.4 See
Note 8
CVE-2017-14166 Oracle Solaris libarchive None No 3.3 Local Low None Required Un
changed
None None Low 11.4 See
Note 9
CVE-2017-9998 Oracle Solaris libdwarf None No 3.3 Local Low None Required Un
changed
None None Low 11.4  
CVE-2014-2524 Oracle Solaris GNU Readline None No 2.8 Local Low Low Required Un
changed
None Low None 11.4  


Revision 2: Published on 2019-02-19



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-16541 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 10
CVE-2018-12395 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 11
CVE-2018-17466 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 12
CVE-2018-18505 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 13
CVE-2017-17405 Oracle Solaris Ruby Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4 See
Note 14
CVE-2018-18311 Oracle Solaris Perl Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4  
CVE-2018-11759 Oracle Solaris Apache HTTP server Multiple Yes 7.5 Network Low None None Un
changed
High None None 11.4 See
Note 15
CVE-2018-16395 Oracle Solaris Ruby Multiple Yes 7.5 Network Low None None Un
changed
None High None 11.4 See
Note 16
CVE-2018-19486 Oracle Solaris Git Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4  
CVE-2018-19788 Oracle Solaris PolicyKit None No 7 Local High Low None Un
changed
High High High 11.4  
CVE-2017-1000385 Oracle Solaris Erlang Multiple Yes 6.5 Network High None None Un
changed
High Low None 11.4 See
Note 17
CVE-2017-11465 Oracle Solaris Ruby Multiple Yes 6.5 Network Low None None Un
changed
Low Low None 11.4 See
Note 18
CVE-2018-1060 Oracle Solaris Python Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4, 10 See
Note 19
CVE-2018-10916 Oracle Solaris LFTP Multiple Yes 6.5 Network Low None Required Un
changed
None High None 11.4  
CVE-2017-6512 Oracle Solaris Perl Multiple Yes 5.9 Network High None None Un
changed
None High None 11.4  
CVE-2017-6512 Oracle Solaris Perl Multiple Yes 5.9 Network High None None Un
changed
None High None 11.4  
CVE-2015-8327 Oracle Solaris Foomatic Print Filter Multiple Yes 5.6 Network High None None Un
changed
Low Low Low 11.4  
CVE-2019-5718 Oracle Solaris Wireshark None No 5.5 Local Low None Required Un
changed
None None High 11.4 See
Note 20
CVE-2018-1000222 Oracle Solaris GD2 Graphics Draw Library Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2018-15473 Oracle Solaris OpenSSH Multiple Yes 5.3 Network Low None None Un
changed
Low None None 11.4  
CVE-2018-16335 Oracle Solaris LibTIFF None No 5.3 Local Low None Required Un
changed
Low Low Low 11.4 See
Note 21
CVE-2018-17795 Oracle Solaris LibTIFF None No 5.3 Local Low None Required Un
changed
Low Low Low 11.4 See
Note 22
CVE-2018-1000030 Oracle Solaris Python Multiple No 4.3 Network Low High Required Un
changed
Low Low Low 11.4, 10  
CVE-2018-5711 Oracle Solaris GD2 Graphics Draw Library Multiple Yes 4.3 Network Low None Required Un
changed
None None Low 11.4  
CVE-2018-20217 Oracle Solaris Kerberos Multiple No 3.5 Network Low Low Required Un
changed
None None Low 11.4  
CVE-2018-12015 Oracle Solaris Perl None No 3.3 Local Low None Required Un
changed
None Low None 11.4  
CVE-2018-12015 Oracle Solaris Perl None No 3.3 Local Low None Required Un
changed
None Low None 11.4  
CVE-2017-15906 Oracle Solaris OpenSSH None No 2.8 Local Low Low Required Un
changed
None Low None 11.4  




Revision 1: Published on 2019-01-15



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-6913 Oracle Solaris Perl Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4 See
Note 23
CVE-2018-19158 Oracle Solaris PHP Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4 See
Note 24
CVE-2018-17183 Oracle Solaris Ghostscript Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4, 11.3 See
Note 25
CVE-2018-11763 Oracle Solaris Apache HTTP server Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2018-19628 Oracle Solaris Wireshark Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 26
CVE-2018-15909 Oracle Solaris Ghostscript Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.4, 11.3  
CVE-2018-0739 Oracle Solaris MySQL Multiple No 7.1 Network Low Low None Un
changed
None Low High 11.4 See
Note 27
CVE-2016-8705 Oracle Solaris Memcached Multiple Yes 6.5 Network Low None None Un
changed
None Low Low 11.4 See
Note 28
CVE-2017-1000456 Oracle Solaris Poppler Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4  
CVE-2018-3070 Oracle Solaris MySQL Multiple No 6.5 Network Low Low None Un
changed
None None High 11.4 See
Note 29
CVE-2018-3282 Oracle Solaris MySQL Multiple No 6.5 Network Low Low None Un
changed
None None High 11.4 See
Note 30
CVE-2018-3247 Oracle Solaris MySQL Multiple No 6.5 Network Low Low None Un
changed
None None High 11.4 See
Note 31
CVE-2018-1000115 Oracle Solaris Memcached Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4  
CVE-2018-13988 Oracle Solaris Poppler None No 5.3 Local Low None Required Un
changed
Low Low Low 11.4  
CVE-2017-18267 Oracle Solaris Poppler None No 5.1 Local High None None Un
changed
None None High 11.4  
CVE-2018-0734 Oracle Solaris OpenSSL None No 5.1 Local High None None Un
changed
High None None 11.3, 10 See
Note 32
CVE-2018-5407 Oracle Solaris OpenSSL None No 4.8 Physical High Low None Changed High None None 11.3, 10  
CVE-2017-14517 Oracle Solaris Poppler None No 3.3 Local Low None Required Un
changed
None None Low 11.4 See
Note 33
CVE-2018-9918 Oracle Solaris Qpdf None No 3.3 Local Low None Required Un
changed
None None Low 11.4  

 

Notes:

1. This fix also addresses CVE-2019-5785.

2. This fix also addresses CVE-2018-4437 CVE-2018-4438 CVE-2018-4441 CVE-2018-4442 CVE-2018-4443.

3. This fix also addresses CVE-2018-16890 CVE-2019-3822.

4. This fix also addresses CVE-2017-1000116 CVE-2018-1000132 CVE-2018-13346 CVE-2018-13348.

5. This fix also addresses CVE-2018-1061.

6. This fix also addresses CVE-2018-1061.

7. This fix also addresses CVE-2018-20685 CVE-2019-6109 CVE-2019-6110 CVE-2019-6111.

8. This fix also addresses CVE-2017-5461 CVE-2018-0495.

9. This fix also addresses CVE-2017-14501 CVE-2017-14502 CVE-2017-14503.

10. This fix also addresses CVE-2018-12376 CVE-2018-12377 CVE-2018-12378 CVE-2018-12379 CVE-2018-12381 CVE-2018-12383 CVE-2018-12385 CVE-2018-12386 CVE-2018-12387.

11. This fix also addresses CVE-2018-12389 CVE-2018-12390 CVE-2018-12391 CVE-2018-12392 CVE-2018-12393 CVE-2018-12396 CVE-2018-12397.

12. This fix also addresses CVE-2018-12405 CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498.

13. This fix also addresses CVE-2018-18500 CVE-2018-18501.

14. This fix also addresses CVE-2016-2339 CVE-2017-17790 CVE-2018-8777.

15. This fix also addresses CVE-2018-1323.

16. This fix also addresses CVE-2018-16396.

17. This fix also addresses CVE-2017-13098 CVE-2017-13099.

18. This fix also addresses CVE-2016-2339 CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2017-6181 CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780.

19. This fix also addresses CVE-2018-1061.

20. This fix also addresses CVE-2019-5716 CVE-2019-5717 CVE-2019-5719.

21. This fix also addresses CVE-2017-11613 CVE-2018-15209 CVE-2018-17100 CVE-2018-17101.

22. This fix also addresses CVE-2017-18013 CVE-2018-10126 CVE-2018-10779 CVE-2018-10801 CVE-2018-12900 CVE-2018-18557 CVE-2018-18661 CVE-2018-7456 CVE-2018-8905.

23. This fix also addresses CVE-2018-6797 CVE-2018-6798.

24. This fix also addresses CVE-2018-19518.

25. This fix also addresses CVE-2018-17961 CVE-2018-18073 CVE-2018-18284.

26. This fix also addresses CVE-2018-19622 CVE-2018-19623 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628.

27. This fix also addresses CVE-2018-2767 CVE-2018-3058 CVE-2018-3062 CVE-2018-3064 CVE-2018-3066 CVE-2018-3070 CVE-2018-3081.

28. This fix also addresses CVE-2017-9951 CVE-2018-1000127.

29. This fix also addresses CVE-2018-2767 CVE-2018-3058 CVE-2018-3063 CVE-2018-3066 CVE-2018-3081.

30. This fix also addresses CVE-2018-3133 CVE-2018-3174.

31. This fix also addresses CVE-2018-3133 CVE-2018-3143 CVE-2018-3156 CVE-2018-3174 CVE-2018-3251 CVE-2018-3276 CVE-2018-3278 CVE-2018-3282.

32. This fix also addresses CVE-2018-0735 CVE-2018-5407.

33. This fix also addresses CVE-2017-14518 CVE-2017-14519 CVE-2017-14520 CVE-2017-14927 CVE-2017-14975 CVE-2017-14976 CVE-2017-14977 CVE-2017-15565.