Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Oracle MySQL 5.5.x < 5.5.47 Multiple Vulnerabilities

High

Synopsis

The remote database server is vulnerable to multiple attack vectors.

Description

The version of MySQL installed on the remote host is version 5.5.x prior to 5.5.47 and is affected by multiple issues :

- A flaw exists that is triggered when repeatedly executing a prepared statement when the default database has been changed. This may allow an authenticated attacker to cause a server exit. (OSVDB 131599) - A flaw exists that is triggered when updating views using ALL comparison operators on subqueries that select from indexed columns in the main table. This may allow an authenticated attacker to cause the server to exit. (OSVDB 131610) - An overflow condition exists in 'strcpy()' and 'sprintf()'. The issue is triggered as user-supplied input is not properly validated. This may allow an authenticated attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (OSVDB 131612) - A flaw exists that is triggered when handling concurrent FLUSH PRIVILEGES and REVOKE or GRANT statements. This may allow an authenticated attacker to cause the server to exit by triggering an invalid memory access to proxy user information. (OSVDB 131614) - A flaw exists that is triggered on the second execution of a prepared statement where an ORDER BY clause references a column position. This may allow an authenticated attacker to cause the server to exit. (OSVDB 131615) - An unspecified flaw exists related to the Client subcomponent. This may allow a local attacker to gain elevated privileges. No further details have been provided by the vendor. (CVE-2016-0546) - An unspecified flaw exists related to the Server:Security:Encryption subcomponent. This may allow an authenticated attacker to have an unspecified impact on integrity. No further details have been provided by the vendor. (CVE-2016-0606)

Additionally, multiple unspecified flaws exist related to the following subcomponents : - Server:Options (OSVDB 133171) - Server:DML (OSVDB 133175) - Server:Optimizer (OSVDB 133177) - Server:Optimizer (OSVDB 133179) - Server:DML (OSVDB 133180) - Server:InnoDB (OSVDB 133181) - Server:UDF (OSVDB 133186) - Server:Security:Privileges (OSVDB 133190) These flaws may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. - An unspecified flaw related to the Optimizer subcomponent may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (OSVDB 137334)

Solution

Upgrade to MySQL 5.5.x to 5.5.47 or later.