Oracle Solaris Third Party Bulletin - October 2017


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 16 January 2018
  • 17 April 2018
  • 17 July 2018
  • 16 October 2018

References


Modification History

2017-December-18 Rev 3. Added all CVEs fixed in Solaris 11.3 SRU 27
2017-November-16 Rev 2. Added all CVEs fixed in Solaris 11.3 SRU 26
2017-October-17 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 SRU 25

 

 

Oracle Solaris Executive Summary

 

This Third Party Bulletin contains 53 new security fixes for Oracle Solaris.  31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

 


Revision 3: Published on 2017-12-18



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-9534 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2016-9535 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2016-9536 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2016-9537 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2016-9538 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2016-9539 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2016-9540 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2017-5225 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2017-5563 Solaris LibTIFF Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3  
CVE-2017-7828 Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3 See
Note 15
CVE-2017-7828 Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3 See
Note 15
CVE-2017-13704 Solaris DNSmasq Multiple Yes 8.2 Network Low None None Un
changed
Low None High 11.3 See
Note 14
CVE-2016-9318 Solaris Libxml2 None No 7.8 Local Low None Required Un
changed
High High High 11.3  
CVE-2017-13089 Solaris Wget None No 7.8 Local Low None Required Un
changed
High High High 11.3, 10 See
Note 17
CVE-2016-9533 Solaris LibTIFF Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.3  
CVE-2017-10314 Solaris MySQL Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3 See
Note 16
CVE-2017-10989 Solaris SQLite3 Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.3  
CVE-2016-10092 Solaris LibTIFF None No 7 Local High None Required Un
changed
High High High 11.3, 10 See
Note 11
CVE-2015-8870 Solaris LibTIFF Multiple Yes 6.8 Network High None Required Un
changed
High None High 11.3, 10  
CVE-2017-10378 Solaris MySQL Multiple No 6.5 Network Low Low None Un
changed
High None None 11.3 See
Note 13
CVE-2017-16548 Solaris RSYNC Multiple No 6.5 Network Low Low None Un
changed
None None High 11.3  
CVE-2017-5969 Solaris Libxml2 None No 5.5 Local Low None Required Un
changed
None None High 11.3  
CVE-2017-9526 Solaris Libgcrypt None No 5.5 Local Low Low None Un
changed
High None None 11.3 See
Note 12
CVE-2016-3186 Solaris LibTIFF Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.3  
CVE-2016-3619 Solaris LibTIFF None Yes 5.3 Network Low None None Un
changed
None None Low 11.3 See
Note 9
CVE-2016-5102 Solaris LibTIFF None Yes 5.3 Network Low None None Un
changed
None None Low 11.3, 10  
CVE-2017-6508 Solaris Wget Multiple Yes 5.3 Network Low None None Un
changed
None Low None 11.3, 10  
CVE-2014-8127 Solaris LibTIFF None No 3.3 Local Low None Required Un
changed
None None Low 11.3, 10 See
Note 10
CVE-2016-9273 Solaris LibTIFF None No 3.3 Local Low None Required Un
changed
None None Low 11.3, 10  
CVE-2016-9297 Solaris LibTIFF None No 3.3 Local Low None Required Un
changed
None None Low 11.3, 10  
CVE-2016-9532 Solaris LibTIFF None No 3.3 Local Low None Required Un
changed
None None Low 11.3, 10  
CVE-2017-9117 Solaris LibTIFF None No 3.3 Local Low None Required Un
changed
None None Low 11.3  


Revision 2: Published on 2017-11-16



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-13026 Solaris TCPdump Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.3 See
Note 8
CVE-2017-6257 Solaris NVIDIA-GFX Kernel driver None No 8.8 Local Low Low None Changed High High High 11.3  
CVE-2017-7823 Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.3 See
Note 2
CVE-2017-12617 Solaris Apache Tomcat Multiple Yes 8.1 Network High None None Un
changed
High High High 11.3  
CVE-2017-15191 Solaris Wireshark Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3 See
Note 7
CVE-2017-1000083 Solaris Evince Multiple Yes 7.1 Network Low None Required Changed Low Low Low 11.3, 10  
CVE-2017-6266 Solaris NVIDIA-GFX Kernel driver None No 6.5 Local Low Low None Changed None None High 11.3  
CVE-2017-6267 Solaris NVIDIA-GFX Kernel driver None No 6.5 Local Low Low None Changed None None High 11.3  
CVE-2017-6259 Solaris NVIDIA-GFX Kernel driver Multiple Yes 6.1 Network High None Required Changed None None High 11.3  
CVE-2017-3735 Solaris OpenSSL SSL/TLS Yes 5.3 Network Low None None Un
changed
None Low None 11.3, 10  
CVE-2017-14989 Solaris ImageMagick None No 4.4 Local High Low Required Un
changed
None None High 11.3, 10  




Revision 1: Published on 2017-10-17



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-14482 Solaris GNU Emacs Multiple Yes 8.1 Network High None None Un
changed
High High High 11.3  
CVE-2017-12151 Solaris Samba SMB No 8.1 Adjacent
Network
Low None None Un
changed
High High None 11.3, 10 See
Note 3
CVE-2017-7674 Solaris Apache Tomcat Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.3 See
Note 1
CVE-2017-13765 Solaris Wireshark Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.3 See
Note 6
CVE-2017-7823 Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.3 See
Note 2
CVE-2016-6313 Solaris libgcrypt Multiple No 6.8 Network Low Low Required Un
changed
Low High Low 11.3  
CVE-2017-3651 Solaris MySQL Multiple No 6.5 Network Low Low None Un
changed
None None High 11.3 See
Note 5
CVE-2017-3651 Solaris MySQL None No 5.3 Local Low Low None Un
changed
Low Low Low 11.3 See
Note 4
CVE-2017-7526 Solaris Libgcrypt None No 4.6 Local High High Required Un
changed
High Low None 11.3  
CVE-2015-7511 Solaris libgcrypt None No 2 Physical High None None Un
changed
Low None None 11.3  

 

Notes:

  1. This fix also addresses CVE-2017-7675.
  2. This fix also addresses CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814 CVE-2017-7818 CVE-2017-7819 CVE-2017-7824 CVE-2017-7825.
  3. This fix also addresses CVE-2017-12150 CVE-2017-12163.
  4. This fix also addresses CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648 CVE-2017-3652 CVE-2017-3653, CVE-2016-3492, CVE-2016-5584, CVE-2016-5612, CVE-2016-5616, CVE-2016-5617, CVE-2016-5624, CVE-2016-5629, CVE-2016-6662, CVE-2016-7440, CVE-2016-8283.
  5. This fix also addresses CVE-2017-3634 CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3647 CVE-2017-3648 CVE-2017-3649 CVE-2017-3652 CVE-2017-3653 CVE-2017-3732, CVE-2016-8318, CVE-2017-3238, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3265, CVE-2017-3273, CVE-2017-3291, CVE-2017-3312.
  6. This fix also addresses CVE-2017-13766 CVE-2017-13767.
  7. This fix also addresses CVE-2017-15189 CVE-2017-15190 CVE-2017-15192 CVE-2017-15193.
  8. This fix also addresses CVE-2017-11108 CVE-2017-11541 CVE-2017-11542 CVE-2017-11543 CVE-2017-12893 CVE-2017-12894 CVE-2017-12895 CVE-2017-12896 CVE-2017-12897 CVE-2017-12898 CVE-2017-12899 CVE-2017-12900 CVE-2017-12901 CVE-2017-12902 CVE-2017-12985 CVE-2017-12986 CVE-2017-12987 CVE-2017-12988 CVE-2017-12989 CVE-2017-12990 CVE-2017-12991 CVE-2017-12992 CVE-2017-12993 CVE-2017-12994 CVE-2017-12995 CVE-2017-12996 CVE-2017-12997 CVE-2017-12998 CVE-2017-12999 CVE-2017-13000 CVE-2017-13001 CVE-2017-13002 CVE-2017-13003 CVE-2017-13004 CVE-2017-13005 CVE-2017-13006 CVE-2017-13007 CVE-2017-13008 CVE-2017-13009 CVE-2017-13010 CVE-2017-13011 CVE-2017-13012 CVE-2017-13013 CVE-2017-13014 CVE-2017-13015 CVE-2017-13016 CVE-2017-13017 CVE-2017-13018 CVE-2017-13019 CVE-2017-13020 CVE-2017-13021 CVE-2017-13022 CVE-2017-13023 CVE-2017-13024 CVE-2017-13025 CVE-2017-13027 CVE-2017-13028 CVE-2017-13029 CVE-2017-13030 CVE-2017-13031 CVE-2017-13032 CVE-2017-13033 CVE-2017-13034 CVE-2017-13035 CVE-2017-13036 CVE-2017-13037 CVE-2017-13038 CVE-2017-13039 CVE-2017-13040 CVE-2017-13041 CVE-2017-13042 CVE-2017-13043 CVE-2017-13044 CVE-2017-13045 CVE-2017-13046 CVE-2017-13047 CVE-2017-13048 CVE-2017-13049 CVE-2017-13050 CVE-2017-13051 CVE-2017-13052 CVE-2017-13053 CVE-2017-13054 CVE-2017-13055 CVE-2017-13687 CVE-2017-13688 CVE-2017-13689 CVE-2017-13690 CVE-2017-13725.
  9. This fix also addresses CVE-2016-3620 CVE-2016-3621 CVE-2016-3622 CVE-2016-3623 CVE-2016-3624 CVE-2016-3625 CVE-2016-3631 CVE-2016-3632 CVE-2016-3633 CVE-2016-3634 CVE-2016-3658 CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-5314 CVE-2016-5315 CVE-2016-5316 CVE-2016-5317 CVE-2016-5318 CVE-2016-5319 CVE-2016-5320 CVE-2016-5321 CVE-2016-5322 CVE-2016-5323 CVE-2016-5875 CVE-2016-6223.
  10. This fix also addresses CVE-2014-8128 CVE-2014-8129 CVE-2014-8130.
  11. This fix also addresses CVE-2016-10093 CVE-2016-10094 CVE-2016-10095 CVE-2017-7592 CVE-2017-7593 CVE-2017-7594 CVE-2017-7595 CVE-2017-7596 CVE-2017-7597 CVE-2017-7598 CVE-2017-7599 CVE-2017-7600 CVE-2017-7601 CVE-2017-7602.
  12. This fix also addresses CVE-2017-0379.
  13. This fix also addresses CVE-2017-10268 CVE-2017-10379 CVE-2017-10384 CVE-2017-3651 CVE-2017-3652 CVE-2017-3653.
  14. This fix also addresses CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496.
  15. This fix also addresses CVE-2017-7826 CVE-2017-7830.
  16. This fix also addresses CVE-2017-10155 CVE-2017-10227 CVE-2017-10268 CVE-2017-10276 CVE-2017-10279 CVE-2017-10283 CVE-2017-10286 CVE-2017-10294 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 CVE-2017-3731.
  17. This fix also addresses CVE-2017-13090.