Oracle Solaris Third Party Bulletin - October 2018


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 January 2019
  • 16 April 2019
  • 16 July 2019
  • 15 October 2019

References


Modification History

2018-December-14 Rev 3. Added all CVEs fixed in Solaris 11.4 SRU 4
2018-November-20 Rev 2. Added all CVEs fixed in Solaris 11.4 SRU 3
2018-October-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36 and Solaris 11.4 SRU 2

 

 

Oracle Solaris Executive Summary

 

This Oracle Solaris Bulletin contains 33 new security fixes for the Oracle Solaris Operating System.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

 


Revision 3: Published on 2018-12-14



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-3187 Solaris MySQL Multiple No 8.8 Network Low Low None Un
changed
High High High 11.4 See
Note 1
CVE-2018-1000810 Solaris Rust Language None No 7.8 Local Low Low None Un
changed
High High High 11.4  
CVE-2017-8816 Solaris libcurl Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 2
CVE-2018-5784 Solaris GIMP Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 3
CVE-2018-19131 Solaris Squid Multiple Yes 6.1 Network Low None Required Changed Low Low None 11.4 See
Note 4
CVE-2018-18065 Solaris Net-SNMP Multiple Yes 5.3 Network High None Required Un
changed
None None High 11.4  
CVE-2018-6188 Solaris Django Python web framework Multiple Yes 5.3 Network Low None None Un
changed
Low None None 11.4 See
Note 5
CVE-2018-16328 Solaris ImageMagick None No 4.7 Local High None Required Un
changed
None None High 11.4 See
Note 6
CVE-2017-14245 Solaris Libsndfile None No 4.4 Local Low None Required Un
changed
Low None Low 11.4 See
Note 7
CVE-2018-16839 Solaris libcurl None No 4.4 Local Low None Required Un
changed
Low None Low 11.4 See
Note 8
CVE-2014-10070 Solaris Zsh Shell None No 3.3 Local Low None Required Un
changed
None None Low 11.4, 10 See
Note 9


Revision 2: Published on 2018-11-20



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-14665 Solaris X.Org None No 8.8 Local Low Low None Changed High High High 11.4  
CVE-2018-17456 Solaris Git Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2018-4246 Solaris WebKitGTK+ Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 10
CVE-2016-6489 Solaris Nettle Multiple Yes 7.5 Network Low None None Un
changed
High None None 11.4  
CVE-2018-5740 Solaris Bind DNS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2017-10789 Solaris Mysql module for perl Multiple Yes 6.8 Network High None Required Un
changed
High High None 11.4 See
Note 11
CVE-2018-14036 Solaris Accounts Service Multiple No 6.5 Network Low Low None Un
changed
High None None 11.4  
CVE-2017-17433 Solaris RSYNC Multiple No 6.3 Network Low Low None Un
changed
Low Low Low 11.4, 10 See
Note 12
CVE-2018-17082 Solaris PHP Multiple Yes 6.1 Network Low None Required Changed Low Low None 11.4  
CVE-2018-14598 Solaris Libraries: Libx11 Multiple Yes 5.9 Network High None None Un
changed
None None High 11.4 See
Note 13
CVE-2017-6888 Solaris Flac None No 5.5 Local Low None Required Un
changed
None None High 11.4  
CVE-2018-1000161 Solaris NMap Multiple No 5.5 Network Low Low Required Un
changed
Low Low Low 11.4  
CVE-2018-11784 Solaris Apache Tomcat Multiple Yes 5.3 Network Low None None Un
changed
None Low None 11.4  
CVE-2018-12086 Solaris Wireshark Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 14
CVE-2016-9841 Solaris RSYNC None No 3.3 Local Low None Required Un
changed
None None Low 11.4 See
Note 15
CVE-2018-11439 Solaris Taglib Audio Meta-Data Library None No 3.3 Local Low None Required Un
changed
None None Low 11.4  
CVE-2018-15173 Solaris NMap None No 3.3 Local Low None Required Un
changed
None None Low 11.4  




Revision 1: Published on 2018-10-16



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-12176 Solaris X.Org Multiple No 7.5 Adjacent
Network
High None None Un
changed
High High High 11.3 See
Note 16
CVE-2017-9224 Solaris Oniguruma Multiple Yes 6.5 Network High None None Un
changed
None Low High 11.4 See
Note 17
CVE-2018-1000168 Solaris NGHttp2 Multiple Yes 5.9 Network High None None Un
changed
None None High 11.4  
CVE-2018-14851 Solaris PHP Multiple Yes 5.9 Network High None None Un
changed
None None High 11.4 See
Note 18
CVE-2018-7409 Solaris UnixODBC Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 19

 

Notes:

1. This fix also addresses CVE-2016-9843 CVE-2018-2767 CVE-2018-3058 CVE-2018-3066 CVE-2018-3081 CVE-2018-3133 CVE-2018-3143 CVE-2018-3144 CVE-2018-3155 CVE-2018-3156 CVE-2018-3161 CVE-2018-3162 CVE-2018-3171 CVE-2018-3173 CVE-2018-3174 CVE-2018-3185 CVE-2018-3200 CVE-2018-3247 CVE-2018-3251 CVE-2018-3276 CVE-2018-3277 CVE-2018-3278 CVE-2018-3282 CVE-2018-3283 CVE-2018-3284.

2. This fix also addresses CVE-2018-14618.

3. This fix also addresses CVE-2017-17942 CVE-2017-18013 CVE-2018-15209.

4. This fix also addresses CVE-2018-19132.

5. This fix also addresses CVE-2017-12794 CVE-2018-7536 CVE-2018-7537.

6. This fix also addresses CVE-2017-18250 CVE-2018-10177 CVE-2018-11625 CVE-2018-12599 CVE-2018-12600 CVE-2018-13153 CVE-2018-14434 CVE-2018-14435 CVE-2018-14436 CVE-2018-14437 CVE-2018-14551 CVE-2018-16323 CVE-2018-16412 CVE-2018-16413 CVE-2018-16640 CVE-2018-16642 CVE-2018-16643 CVE-2018-16644 CVE-2018-16645 CVE-2018-16749 CVE-2018-16750 CVE-2018-18023 CVE-2018-18024 CVE-2018-18025 CVE-2018-18544 CVE-2018-9135.

7. This fix also addresses CVE-2017-14246 CVE-2017-14634 CVE-2017-17456 CVE-2017-17457 CVE-2017-6892 CVE-2018-13139 CVE-2018-13419.

8. This fix also addresses CVE-2017-14618 CVE-2018-14618 CVE-2018-16840 CVE-2018-16842.

9. This fix also addresses CVE-2014-10071 CVE-2014-10072 CVE-2016-10714 CVE-2017-18205 CVE-2017-18206 CVE-2018-1071 CVE-2018-1083 CVE-2018-1100 CVE-2018-7548 CVE-2018-7549.

10. This fix also addresses CVE-2018-11646 CVE-2018-11712 CVE-2018-11713 CVE-2018-12293 CVE-2018-12294 CVE-2018-12911 CVE-2018-4101 CVE-2018-4113 CVE-2018-4114 CVE-2018-4117 CVE-2018-4118 CVE-2018-4119 CVE-2018-4120 CVE-2018-4121 CVE-2018-4122 CVE-2018-4125 CVE-2018-4127 CVE-2018-4128 CVE-2018-4129 CVE-2018-4133 CVE-2018-4146 CVE-2018-4161 CVE-2018-4162 CVE-2018-4163 CVE-2018-4165 CVE-2018-4190 CVE-2018-4192 CVE-2018-4199 CVE-2018-4200 CVE-2018-4201 CVE-2018-4204 CVE-2018-4214 CVE-2018-4218 CVE-2018-4222 CVE-2018-4232 CVE-2018-4233 CVE-2018-4261 CVE-2018-4262 CVE-2018-4263 CVE-2018-4264 CVE-2018-4265 CVE-2018-4266 CVE-2018-4267 CVE-2018-4270 CVE-2018-4271 CVE-2018-4272 CVE-2018-4273 CVE-2018-4278 CVE-2018-4284.

11. This fix also addresses CVE-2015-3152.

12. This fix also addresses CVE-2017-17434 CVE-2018-5764.

13. This fix also addresses CVE-2018-14599 CVE-2018-14600.

14. This fix also addresses CVE-2018-18225 CVE-2018-18226 CVE-2018-18227.

15. This fix also addresses CVE-2016-9840 CVE-2016-9842 CVE-2016-9843.

16. This fix also addresses CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12179 CVE-2017-12180 CVE-2017-12181 CVE-2017-12182 CVE-2017-12183 CVE-2017-12184 CVE-2017-12185 CVE-2017-12186 CVE-2017-12187.

17. This fix also addresses CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229.

18. This fix also addresses CVE-2018-14883.

19. This fix also addresses CVE-2018-7485.