MariaDB Server 10.0.x < 10.0.20 Multiple Vulnerabilities (BACKRONYM)

medium Nessus Network Monitor Plugin ID 9282

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

MariaDB is a community-developed fork of the MySQL relational database. The version of MariaDB running on the remote host is 10.0.x prior to 10.0.20. It is, therefore, affected by multiple vulnerabilities :
- An unspecified flaw exists in the GIS component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2582)
- An unspecified flaw exists in the Security: Privileges component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2015-2620)
- An unspecified flaw exists in the Optimizer component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2643)
- An unspecified flaw exists in the DML component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-2648)
- A security feature bypass vulnerability, known as 'BACKRONYM', exists due to a failure to properly enforce the requirement of an SSL/TLS connection when the --ssl client option is used. A man-in-the-middle attacker can exploit this flaw to coerce the client to downgrade to an unencrypted connection, allowing the attacker to disclose data from the database or manipulate database queries. (CVE-2015-3152)
- An unspecified flaw exists in the I_S component that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-4752)
- An unspecified flaw exists in the Security: Privileges component that allows an authenticated, remote attacker to impact integrity. (CVE-2015-4864)
- A denial of service vulnerability exists in the get_server_from_table_to_cache() function within file sql/sql_servers.cc when handling empty names. An authenticated attacker, remote attacker can exploit this to crash the server.
- A denial of service vulnerability exists when updating leaf tables with JOIN during list storing. An authenticated, remote attacker can exploit this to crash the server.
- A denial of service vulnerability exists within file ha_innodb.cc when handling concurrent multi-table updates. An authenticated, remote attacker can exploit this to crash the server.
- An out-of-bounds read error exists in the escape_string_hide_passwords() function within file plugin/server_audit/server_audit.c when handling specially crafted SET PASSWORD queries. An authenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition.
- A denial of service vulnerability exists in the wait_for_workers_idle() function within file rpl_parallel.cc when handling worker threads. An authenticated attacker, remote attacker can exploit this to crash the database.
- A denial of service vulnerability exists in sys_var_pluginvar::plugin due to improper initialization, leading to a race condition between INSTALL PLUGIN and SET that results in an uninitialized memory reference. An authenticated attacker, remote attacker can exploit this to crash the database.

Solution

Upgrade to version 10.0.20 or later.

See Also

https://blog.mariadb.org/mariadb-10-0-20-now-available

https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog

Plugin Details

Severity: Medium

ID: 9282

Family: Database

Published: 5/13/2016

Updated: 3/6/2019

Nessus ID: 84796

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mariadb:mariadb

Patch Publication Date: 5/15/2015

Vulnerability Publication Date: 5/15/2015

Reference Information

CVE: CVE-2015-2582, CVE-2015-2620, CVE-2015-2643, CVE-2015-2648, CVE-2015-3152, CVE-2015-4752, CVE-2015-4864