Oracle Solaris Third Party Bulletin - October 2018

Related Vulnerabilities: CVE-2018-3187   CVE-2018-1000810   CVE-2017-8816   CVE-2018-5784   CVE-2018-19131   CVE-2018-18065   CVE-2018-6188   CVE-2018-16328   CVE-2017-14245   CVE-2018-16839   CVE-2014-10070   CVE-2018-14665   CVE-2018-17456   CVE-2018-4246   CVE-2016-6489   CVE-2018-5740   CVE-2017-10789   CVE-2018-14036   CVE-2017-17433   CVE-2018-17082   CVE-2018-14598   CVE-2017-6888   CVE-2018-1000161   CVE-2018-11784   CVE-2018-12086   CVE-2016-9841   CVE-2018-11439   CVE-2018-15173   CVE-2017-12176   CVE-2017-9224   CVE-2018-1000168   CVE-2018-14851   CVE-2018-7409   CVE-2016-9843   CVE-2018-2767   CVE-2018-3058   CVE-2018-3066   CVE-2018-3081   CVE-2018-3133   CVE-2018-3143   CVE-2018-3144   CVE-2018-3155   CVE-2018-3156   CVE-2018-3161   CVE-2018-3162   CVE-2018-3171   CVE-2018-3173   CVE-2018-3174   CVE-2018-3185   CVE-2018-3200   CVE-2018-3247   CVE-2018-3251   CVE-2018-3276   CVE-2018-3277   CVE-2018-3278   CVE-2018-3282   CVE-2018-3283   CVE-2018-3284   CVE-2018-14618   CVE-2017-17942   CVE-2017-18013   CVE-2018-15209   CVE-2018-19132   CVE-2017-12794   CVE-2018-7536   CVE-2018-7537   CVE-2017-18250   CVE-2018-10177   CVE-2018-11625   CVE-2018-12599   CVE-2018-12600   CVE-2018-13153   CVE-2018-14434   CVE-2018-14435   CVE-2018-14436   CVE-2018-14437   CVE-2018-14551   CVE-2018-16323   CVE-2018-16412   CVE-2018-16413   CVE-2018-16640   CVE-2018-16642   CVE-2018-16643   CVE-2018-16644   CVE-2018-16645   CVE-2018-16749   CVE-2018-16750   CVE-2018-18023   CVE-2018-18024   CVE-2018-18025   CVE-2018-18544   CVE-2018-9135   CVE-2017-14246   CVE-2017-14634   CVE-2017-17456   CVE-2017-17457   CVE-2017-6892   CVE-2018-13139   CVE-2018-13419   CVE-2017-14618   CVE-2018-16840   CVE-2018-16842   CVE-2014-10071   CVE-2014-10072   CVE-2016-10714   CVE-2017-18205   CVE-2017-18206   CVE-2018-1071   CVE-2018-1083   CVE-2018-1100   CVE-2018-7548   CVE-2018-7549   CVE-2018-11646   CVE-2018-11712   CVE-2018-11713   CVE-2018-12293   CVE-2018-12294   CVE-2018-12911   CVE-2018-4101   CVE-2018-4113   CVE-2018-4114   CVE-2018-4117   CVE-2018-4118   CVE-2018-4119   CVE-2018-4120   CVE-2018-4121   CVE-2018-4122   CVE-2018-4125   CVE-2018-4127   CVE-2018-4128   CVE-2018-4129   CVE-2018-4133   CVE-2018-4146   CVE-2018-4161   CVE-2018-4162   CVE-2018-4163   CVE-2018-4165   CVE-2018-4190   CVE-2018-4192   CVE-2018-4199   CVE-2018-4200   CVE-2018-4201   CVE-2018-4204   CVE-2018-4214   CVE-2018-4218   CVE-2018-4222   CVE-2018-4232   CVE-2018-4233   CVE-2018-4261   CVE-2018-4262   CVE-2018-4263   CVE-2018-4264   CVE-2018-4265   CVE-2018-4266   CVE-2018-4267   CVE-2018-4270   CVE-2018-4271   CVE-2018-4272   CVE-2018-4273   CVE-2018-4278   CVE-2018-4284   CVE-2015-3152   CVE-2017-17434   CVE-2018-5764   CVE-2018-14599   CVE-2018-14600   CVE-2018-18225   CVE-2018-18226   CVE-2018-18227   CVE-2016-9840   CVE-2016-9842   CVE-2017-12177   CVE-2017-12178   CVE-2017-12179   CVE-2017-12180   CVE-2017-12181   CVE-2017-12182   CVE-2017-12183   CVE-2017-12184   CVE-2017-12185   CVE-2017-12186   CVE-2017-12187   CVE-2017-9225   CVE-2017-9226   CVE-2017-9227   CVE-2017-9228   CVE-2017-9229   CVE-2018-14883   CVE-2018-7485  

Oracle Solaris Third Party Bulletin - October 2018


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 January 2019
  • 16 April 2019
  • 16 July 2019
  • 15 October 2019

References


Modification History

2018-December-14 Rev 3. Added all CVEs fixed in Solaris 11.4 SRU 4
2018-November-20 Rev 2. Added all CVEs fixed in Solaris 11.4 SRU 3
2018-October-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36 and Solaris 11.4 SRU 2

 

 

Oracle Solaris Executive Summary

 

This Oracle Solaris Bulletin contains 33 new security fixes for the Oracle Solaris Operating System.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

 


Revision 3: Published on 2018-12-14



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-3187 Solaris MySQL Multiple No 8.8 Network Low Low None Un
changed
High High High 11.4 See
Note 1
CVE-2018-1000810 Solaris Rust Language None No 7.8 Local Low Low None Un
changed
High High High 11.4  
CVE-2017-8816 Solaris libcurl Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 2
CVE-2018-5784 Solaris GIMP Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 3
CVE-2018-19131 Solaris Squid Multiple Yes 6.1 Network Low None Required Changed Low Low None 11.4 See
Note 4
CVE-2018-18065 Solaris Net-SNMP Multiple Yes 5.3 Network High None Required Un
changed
None None High 11.4  
CVE-2018-6188 Solaris Django Python web framework Multiple Yes 5.3 Network Low None None Un
changed
Low None None 11.4 See
Note 5
CVE-2018-16328 Solaris ImageMagick None No 4.7 Local High None Required Un
changed
None None High 11.4 See
Note 6
CVE-2017-14245 Solaris Libsndfile None No 4.4 Local Low None Required Un
changed
Low None Low 11.4 See
Note 7
CVE-2018-16839 Solaris libcurl None No 4.4 Local Low None Required Un
changed
Low None Low 11.4 See
Note 8
CVE-2014-10070 Solaris Zsh Shell None No 3.3 Local Low None Required Un
changed
None None Low 11.4, 10 See
Note 9


Revision 2: Published on 2018-11-20



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-14665 Solaris X.Org None No 8.8 Local Low Low None Changed High High High 11.4  
CVE-2018-17456 Solaris Git Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2018-4246 Solaris WebKitGTK+ Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 10
CVE-2016-6489 Solaris Nettle Multiple Yes 7.5 Network Low None None Un
changed
High None None 11.4  
CVE-2018-5740 Solaris Bind DNS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2017-10789 Solaris Mysql module for perl Multiple Yes 6.8 Network High None Required Un
changed
High High None 11.4 See
Note 11
CVE-2018-14036 Solaris Accounts Service Multiple No 6.5 Network Low Low None Un
changed
High None None 11.4  
CVE-2017-17433 Solaris RSYNC Multiple No 6.3 Network Low Low None Un
changed
Low Low Low 11.4, 10 See
Note 12
CVE-2018-17082 Solaris PHP Multiple Yes 6.1 Network Low None Required Changed Low Low None 11.4  
CVE-2018-14598 Solaris Libraries: Libx11 Multiple Yes 5.9 Network High None None Un
changed
None None High 11.4 See
Note 13
CVE-2017-6888 Solaris Flac None No 5.5 Local Low None Required Un
changed
None None High 11.4  
CVE-2018-1000161 Solaris NMap Multiple No 5.5 Network Low Low Required Un
changed
Low Low Low 11.4  
CVE-2018-11784 Solaris Apache Tomcat Multiple Yes 5.3 Network Low None None Un
changed
None Low None 11.4  
CVE-2018-12086 Solaris Wireshark Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 14
CVE-2016-9841 Solaris RSYNC None No 3.3 Local Low None Required Un
changed
None None Low 11.4 See
Note 15
CVE-2018-11439 Solaris Taglib Audio Meta-Data Library None No 3.3 Local Low None Required Un
changed
None None Low 11.4  
CVE-2018-15173 Solaris NMap None No 3.3 Local Low None Required Un
changed
None None Low 11.4  




Revision 1: Published on 2018-10-16



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-12176 Solaris X.Org Multiple No 7.5 Adjacent
Network
High None None Un
changed
High High High 11.3 See
Note 16
CVE-2017-9224 Solaris Oniguruma Multiple Yes 6.5 Network High None None Un
changed
None Low High 11.4 See
Note 17
CVE-2018-1000168 Solaris NGHttp2 Multiple Yes 5.9 Network High None None Un
changed
None None High 11.4  
CVE-2018-14851 Solaris PHP Multiple Yes 5.9 Network High None None Un
changed
None None High 11.4 See
Note 18
CVE-2018-7409 Solaris UnixODBC Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 19

 

Notes:

1. This fix also addresses CVE-2016-9843 CVE-2018-2767 CVE-2018-3058 CVE-2018-3066 CVE-2018-3081 CVE-2018-3133 CVE-2018-3143 CVE-2018-3144 CVE-2018-3155 CVE-2018-3156 CVE-2018-3161 CVE-2018-3162 CVE-2018-3171 CVE-2018-3173 CVE-2018-3174 CVE-2018-3185 CVE-2018-3200 CVE-2018-3247 CVE-2018-3251 CVE-2018-3276 CVE-2018-3277 CVE-2018-3278 CVE-2018-3282 CVE-2018-3283 CVE-2018-3284.

2. This fix also addresses CVE-2018-14618.

3. This fix also addresses CVE-2017-17942 CVE-2017-18013 CVE-2018-15209.

4. This fix also addresses CVE-2018-19132.

5. This fix also addresses CVE-2017-12794 CVE-2018-7536 CVE-2018-7537.

6. This fix also addresses CVE-2017-18250 CVE-2018-10177 CVE-2018-11625 CVE-2018-12599 CVE-2018-12600 CVE-2018-13153 CVE-2018-14434 CVE-2018-14435 CVE-2018-14436 CVE-2018-14437 CVE-2018-14551 CVE-2018-16323 CVE-2018-16412 CVE-2018-16413 CVE-2018-16640 CVE-2018-16642 CVE-2018-16643 CVE-2018-16644 CVE-2018-16645 CVE-2018-16749 CVE-2018-16750 CVE-2018-18023 CVE-2018-18024 CVE-2018-18025 CVE-2018-18544 CVE-2018-9135.

7. This fix also addresses CVE-2017-14246 CVE-2017-14634 CVE-2017-17456 CVE-2017-17457 CVE-2017-6892 CVE-2018-13139 CVE-2018-13419.

8. This fix also addresses CVE-2017-14618 CVE-2018-14618 CVE-2018-16840 CVE-2018-16842.

9. This fix also addresses CVE-2014-10071 CVE-2014-10072 CVE-2016-10714 CVE-2017-18205 CVE-2017-18206 CVE-2018-1071 CVE-2018-1083 CVE-2018-1100 CVE-2018-7548 CVE-2018-7549.

10. This fix also addresses CVE-2018-11646 CVE-2018-11712 CVE-2018-11713 CVE-2018-12293 CVE-2018-12294 CVE-2018-12911 CVE-2018-4101 CVE-2018-4113 CVE-2018-4114 CVE-2018-4117 CVE-2018-4118 CVE-2018-4119 CVE-2018-4120 CVE-2018-4121 CVE-2018-4122 CVE-2018-4125 CVE-2018-4127 CVE-2018-4128 CVE-2018-4129 CVE-2018-4133 CVE-2018-4146 CVE-2018-4161 CVE-2018-4162 CVE-2018-4163 CVE-2018-4165 CVE-2018-4190 CVE-2018-4192 CVE-2018-4199 CVE-2018-4200 CVE-2018-4201 CVE-2018-4204 CVE-2018-4214 CVE-2018-4218 CVE-2018-4222 CVE-2018-4232 CVE-2018-4233 CVE-2018-4261 CVE-2018-4262 CVE-2018-4263 CVE-2018-4264 CVE-2018-4265 CVE-2018-4266 CVE-2018-4267 CVE-2018-4270 CVE-2018-4271 CVE-2018-4272 CVE-2018-4273 CVE-2018-4278 CVE-2018-4284.

11. This fix also addresses CVE-2015-3152.

12. This fix also addresses CVE-2017-17434 CVE-2018-5764.

13. This fix also addresses CVE-2018-14599 CVE-2018-14600.

14. This fix also addresses CVE-2018-18225 CVE-2018-18226 CVE-2018-18227.

15. This fix also addresses CVE-2016-9840 CVE-2016-9842 CVE-2016-9843.

16. This fix also addresses CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12179 CVE-2017-12180 CVE-2017-12181 CVE-2017-12182 CVE-2017-12183 CVE-2017-12184 CVE-2017-12185 CVE-2017-12186 CVE-2017-12187.

17. This fix also addresses CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229.

18. This fix also addresses CVE-2018-14883.

19. This fix also addresses CVE-2018-7485.