102065

56491

GLSA-201409-04

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

64758

64873

oracle-cpujan2014-cve20135894(90376)

The remote host is affected by the vulnerability described in GLSA-201409-04 (MySQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MySQL. Please review       the CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly gain escalated privileges. A remote       attacker could send a specially crafted SQL query, possibly resulting in       a Denial of Service condition. A remote attacker could entice a user to       connect to specially crafted MySQL server, possibly resulting in       execution of arbitrary code with the privileges of the process.
  Workaround :

    There is no known workaround at this time.

MySQL was updated to version 5.5.37 to address various security issues.

More information is available at http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.h tml#AppendixMSQL and http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.h tml#AppendixMSQL .

The version of MariaDB 5.5 running on the remote host is a version prior to 5.5.35. It is, therefore, potentially affected by the following vulnerabilities :

  - Errors exist related to the following subcomponents :
    Error Handling, FTS, GIS, InnoDB, Locking, Optimizer,     Partition, Performance Schema, Privileges, Replication,     and Thread Pooling. (CVE-2013-5860, CVE-2013-5881,     CVE-2013-5891, CVE-2013-5894, CVE-2013-5908,     CVE-2014-0386, CVE-2014-0393, CVE-2014-0401,     CVE-2014-0402, CVE-2014-0412, CVE-2014-0420,     CVE-2014-0427, CVE-2014-0430, CVE-2014-0431,     CVE-2014-0433, CVE-2014-0437)

  - An unspecified error exists related to stored     procedures handling that could allow denial of service     attacks. (CVE-2013-5882)

  - An error exists in the file 'client/mysql.cc' that     could allow a buffer overflow leading to denial of     service or possibly arbitrary code execution.
    (CVE-2014-0001)

The version of MySQL installed on the remote host is earlier than 5.6.15. Therefore, vulnerabilities likely exist in the following components :

  - Service Manager
  - GIS
  - Stored Procedure
  - Thread Pooling
  - InnoDB
  - Locking
  - Optimizer
  - Partition
  - Privileges
  - FTS
  - Performance Schema
  - Replication
  - Error Handling

The version of MySQL installed on the remote host is 5.6.x older than 5.6.14.  As such, it is reportedly affected by vulnerabilities in the following components :

  - FTS
  - InnoDB
  - Locking
  - Optimizer
  - Partition
  - Performance Schema
  - Stored Procedure
  - Thread Pooling

ID	Name	Product	Family	Severity
77548	GLSA-201409-04 : MySQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
74373	SuSE 11.3 Security Update : MySQL (SAT Patch Number 9303)	Nessus	SuSE Local Security Checks	critical
72374	MariaDB 5.5 < 5.5.35 Multiple Vulnerabilities	Nessus	Databases	high
8082	Oracle MySQL 5.6.x < 5.6.15 Remote Code Execution	Nessus Network Monitor	Database	medium
71975	MySQL 5.6.x < 5.6.14 Multiple Vulnerabilities	Nessus	Databases	low

CVE-2013-5894

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

high

medium

low