http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698

SUSE-SU-2015:0743

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

70496

The version of MariaDB installed on the remote host is prior to 10.0.13. It is, therefore, affected by multiple vulnerabilities as referenced in the mariadb-10013-release-notes advisory, including the following:

  - A flaw in OpenSSL which fails to properly restrict     processing of ChangeCipherSpec messages. A     man-in-the-middle attacker can exploit this, via a     crafted TLS handshake, to force the use of a     zero-length master key in certain OpenSSL-to-OpenSSL     communications, resulting in the session being hijacked     and sensitive information being disclosed.
    (CVE-2014-0224)

 -  A buffer overflow error in OpenSSL related to invalid     DTLS fragment handling that can lead to execution of     arbitrary code or denial of service. This is caused by     improper validation on the fragment lengths in DTLS     ClientHello messages. (CVE-2014-0195)

  - An unspecified vulnerability in MariaDB Server related     to CLIENT:MYSQLDUMP that allows remote, authenticated     users to affect confidentiality, integrity, and     availability. (CVE-2014-6530)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of MariaDB installed on the remote host is prior to 5.5.39. It is, therefore, affected by multiple vulnerabilities as referenced in the mariadb-5539-release-notes advisory. These vulnerabilites relate to errors in the following components:

  - CLIENT:MYSQLADMIN
  - CLIENT:MYSQLDUMP
  - SERVER:CHARACTER SETS
  - SERVER:DDL
  - SERVER:DML
  - SERVER:MEMORY STORAGE ENGINE
  - SERVER:MyISAM
  - SERVER:PRIVILEGES AUTHENTICATION PLUGIN API
  - SERVER:REPLICATION ROW FORMAT BINARY LOG DML
  - SERVER:SSL:yaSSL

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of Junos Space running on the remote device is prior to 15.1R1. It is, therefore, affected by multiple vulnerabilities :

  - An error exists within the Apache 'mod_session_dbd'     module, related to save operations for a session, due to     a failure to consider the dirty flag and to require a     new session ID. An unauthenticated, remote attacker can     exploit this to have an unspecified impact.
    (CVE-2013-2249)

  - An unspecified flaw exists in the MySQL Server component     related to error handling that allows a remote attacker     to cause a denial of service condition. (CVE-2013-5908)

  - A flaw exists within the Apache 'mod_dav' module that is     caused when tracking the length of CDATA that has     leading white space. An unauthenticated, remote attacker     can exploit this, via a specially crafted DAV WRITE     request, to cause the service to stop responding.
    (CVE-2013-6438)

  - A flaw exists within the Apache 'mod_log_config' module     that is caused when logging a cookie that has an     unassigned value. An unauthenticated, remote attacker     can exploit this, via a specially crafted request, to     cause the service to crash. (CVE-2014-0098)

  - A flaw exists, related to pixel manipulation, in the     2D component in the Oracle Java runtime that allows an     unauthenticated, remote attacker to impact availability,     confidentiality, and integrity. (CVE-2014-0429)

  - A flaw exists, related to PKCS#1 unpadding, in the     Security component in the Oracle Java runtime that     allows an unauthenticated, remote attacker to gain     knowledge of timing information, which is intended to     be protected by encryption. (CVE-2014-0453)

  - A race condition exists, related to array copying, in     the Hotspot component in the Oracle Java runtime that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2014-0456)

  - A flaw exists in the JNDI component in the Oracle Java     runtime due to missing randomization of query IDs. An     unauthenticated, remote attacker can exploit this to     conduct spoofing attacks. (CVE-2014-0460)

  - A flaw exists in the Mozilla Network Security Services     (NSS) library, which is due to lenient parsing of ASN.1     values involved in a signature and can lead to the     forgery of RSA signatures, such as SSL certificates.
    (CVE-2014-1568)

  - An unspecified flaw exists in the MySQL Server component     related to the CLIENT:SSL:yaSSL subcomponent that allows     a remote attacker to impact integrity. (CVE-2014-6478)

  - Multiple unspecified flaws exist in the MySQL Server     component related to the SERVER:SSL:yaSSL subcomponent     that allow a remote attacker to impact confidentiality,     integrity, and availability. (CVE-2014-6491,     CVE-2014-6500)

  - Multiple unspecified flaws exist in the MySQL Server     component related to the CLIENT:SSL:yaSSL subcomponent     that allow a remote attacker to cause a denial of     service condition. (CVE-2014-6494, CVE-2014-6495,     CVE-2014-6496)

  - An unspecified flaw exists in the MySQL Server component     related to the C API SSL Certificate Handling     subcomponent that allows a remote attacker to disclose     potentially sensitive information. (CVE-2014-6559)

  - An unspecified flaw exists in the MySQL Server component     related to the Server:Compiling subcomponent that allows     an authenticated, remote attacker to cause a denial of     service condition. (CVE-2015-0501)

  - An XML external entity (XXE) injection vulnerability     exists in OpenNMS due to the Castor component accepting     XML external entities from exception messages. An     unauthenticated, remote attacker can exploit this, via     specially crafted XML data in a RTC post, to access     local files. (CVE-2015-0975)

  - An unspecified flaw exists in the MySQL Server component     related to the Server:Security:Privileges subcomponent     that allows a remote attacker to disclose potentially     sensitive information. (CVE-2015-2620)

  - A heap buffer overflow condition exists in QEMU in the     pcnet_transmit() function within file hw/net/pcnet.c     due to improper validation of user-supplied input when     handling multi-TMD packets with a length above 4096     bytes. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to gain elevated     privileges from guest to host. (CVE-2015-3209)

  - Multiple cross-site scripting (XSS), SQL injection, and     command injection vulnerabilities exist in Junos Space     that allow an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2015-7753)

mariadb was updated to version 10.0.16 to fix 40 security issues.

These security issues were fixed :

  - CVE-2015-0411: Unspecified vulnerability in Oracle MySQL     Server 5.5.40 and earlier, and 5.6.21 and earlier,     allowed remote attackers to affect confidentiality,     integrity, and availability via unknown vectors related     to Server : Security : Encryption (bnc#915911).

  - CVE-2015-0382: Unspecified vulnerability in Oracle MySQL     Server 5.5.40 and earlier and 5.6.21 and earlier allowed     remote attackers to affect availability via unknown     vectors related to Server : Replication, a different     vulnerability than CVE-2015-0381 (bnc#915911).

  - CVE-2015-0381: Unspecified vulnerability in Oracle MySQL     Server 5.5.40 and earlier and 5.6.21 and earlier allowed     remote attackers to affect availability via unknown     vectors related to Server : Replication, a different     vulnerability than CVE-2015-0382 (bnc#915911).

  - CVE-2015-0432: Unspecified vulnerability in Oracle MySQL     Server 5.5.40 and earlier allowed remote authenticated     users to affect availability via vectors related to     Server : InnoDB : DDL : Foreign Key (bnc#915911).

  - CVE-2014-6568: Unspecified vulnerability in Oracle MySQL     Server 5.5.40 and earlier, and 5.6.21 and earlier,     allowed remote authenticated users to affect     availability via vectors related to Server : InnoDB :
    DML (bnc#915911).

  - CVE-2015-0374: Unspecified vulnerability in Oracle MySQL     Server 5.5.40 and earlier and 5.6.21 and earlier allowed     remote authenticated users to affect confidentiality via     unknown vectors related to Server : Security :
    Privileges : Foreign Key (bnc#915911).

  - CVE-2014-6507: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier, and 5.6.20 and earlier,     allowed remote authenticated users to affect     confidentiality, integrity, and availability via vectors     related to SERVER:DML (bnc#915912).

  - CVE-2014-6491: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier and 5.6.20 and earlier allowed     remote attackers to affect confidentiality, integrity,     and availability via vectors related to     SERVER:SSL:yaSSL, a different vulnerability than     CVE-2014-6500 (bnc#915912).

  - CVE-2014-6500: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier, and 5.6.20 and earlier,     allowed remote attackers to affect confidentiality,     integrity, and availability via vectors related to     SERVER:SSL:yaSSL, a different vulnerability than     CVE-2014-6491 (bnc#915912).

  - CVE-2014-6469: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and eariler and 5.6.20 and earlier allowed     remote authenticated users to affect availability via     vectors related to SERVER:OPTIMIZER (bnc#915912).

  - CVE-2014-6555: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier and 5.6.20 and earlier allowed     remote authenticated users to affect confidentiality,     integrity, and availability via vectors related to     SERVER:DML (bnc#915912).

  - CVE-2014-6559: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier, and 5.6.20 and earlier,     allowed remote attackers to affect confidentiality via     vectors related to C API SSL CERTIFICATE HANDLING     (bnc#915912).

  - CVE-2014-6494: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier, and 5.6.20 and earlier,     allowed remote attackers to affect availability via     vectors related to CLIENT:SSL:yaSSL, a different     vulnerability than CVE-2014-6496 (bnc#915912).

  - CVE-2014-6496: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier, and 5.6.20 and earlier,     allowed remote attackers to affect availability via     vectors related to CLIENT:SSL:yaSSL, a different     vulnerability than CVE-2014-6494 (bnc#915912).

  - CVE-2014-6464: Unspecified vulnerability in Oracle MySQL     Server 5.5.39 and earlier and 5.6.20 and earlier allowed     remote authenticated users to affect availability via     vectors related to SERVER:INNODB DML FOREIGN KEYS     (bnc#915912).

  - CVE-2010-5298: Race condition in the ssl3_read_bytes     function in s3_pkt.c in OpenSSL through 1.0.1g, when     SSL_MODE_RELEASE_BUFFERS is enabled, allowed remote     attackers to inject data across sessions or cause a     denial of service (use-after-free and parsing error) via     an SSL connection in a multithreaded environment     (bnc#873351).

  - CVE-2014-0195: The dtls1_reassemble_fragment function in     d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before     1.0.0m, and 1.0.1 before 1.0.1h did not properly     validate fragment lengths in DTLS ClientHello messages,     which allowed remote attackers to execute arbitrary code     or cause a denial of service (buffer overflow and     application crash) via a long non-initial fragment     (bnc#880891).

  - CVE-2014-0198: The do_ssl3_write function in s3_pkt.c in     OpenSSL 1.x through 1.0.1g, when     SSL_MODE_RELEASE_BUFFERS is enabled, did not properly     manage a buffer pointer during certain recursive calls,     which allowed remote attackers to cause a denial of     service (NULL pointer dereference and application crash)     via vectors that trigger an alert condition     (bnc#876282).

  - CVE-2014-0221: The dtls1_get_message_fragment function     in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before     1.0.0m, and 1.0.1 before 1.0.1h allowed remote attackers     to cause a denial of service (recursion and client     crash) via a DTLS hello message in an invalid DTLS     handshake (bnc#915913).

  - CVE-2014-0224: OpenSSL before 0.9.8za, 1.0.0 before     1.0.0m, and 1.0.1 before 1.0.1h did not properly     restrict processing of ChangeCipherSpec messages, which     allowed man-in-the-middle attackers to trigger use of a     zero-length master key in certain OpenSSL-to-OpenSSL     communications, and consequently hijack sessions or     obtain sensitive information, via a crafted TLS     handshake, aka the 'CCS Injection' vulnerability     (bnc#915913).

  - CVE-2014-3470: The ssl3_send_client_key_exchange     function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0     before 1.0.0m, and 1.0.1 before 1.0.1h, when an     anonymous ECDH cipher suite is used, allowed remote     attackers to cause a denial of service (NULL pointer     dereference and client crash) by triggering a NULL     certificate value (bnc#915913).

  - CVE-2014-6474: Unspecified vulnerability in Oracle MySQL     Server 5.6.19 and earlier allowed remote authenticated     users to affect availability via vectors related to     SERVER:MEMCACHED (bnc#915913).

  - CVE-2014-6489: Unspecified vulnerability in Oracle MySQL     Server 5.6.19 and earlier allowed remote authenticated     users to affect integrity and availability via vectors     related to SERVER:SP (bnc#915913).

  - CVE-2014-6564: Unspecified vulnerability in Oracle MySQL     Server 5.6.19 and earlier allowed remote authenticated     users to affect availability via vectors related to     SERVER:INNODB FULLTEXT SEARCH DML (bnc#915913).

  - CVE-2012-5615: Oracle MySQL 5.5.38 and earlier, 5.6.19     and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13,     5.1.66, and possibly other versions, generates different     error messages with different time delays depending on     whether a user name exists, which allowed remote     attackers to enumerate valid usernames (bnc#915913).

  - CVE-2014-4274: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier and 5.6.19 and earlier allowed     local users to affect confidentiality, integrity, and     availability via vectors related to SERVER:MyISAM     (bnc#896400).

  - CVE-2014-4287: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier and 5.6.19 and earlier allowed     remote authenticated users to affect availability via     vectors related to SERVER:CHARACTER SETS (bnc#915913).

  - CVE-2014-6463: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier and 5.6.19 and earlier allowed     remote authenticated users to affect availability via     vectors related to SERVER:REPLICATION ROW FORMAT BINARY     LOG DML (bnc#915913).

  - CVE-2014-6478: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier, and 5.6.19 and earlier,     allowed remote attackers to affect integrity via vectors     related to SERVER:SSL:yaSSL (bnc#915913).

  - CVE-2014-6484: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier, and 5.6.19 and earlier,     allowed remote authenticated users to affect     availability via vectors related to SERVER:DML     (bnc#915913).

  - CVE-2014-6495: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier, and 5.6.19 and earlier,     allowed remote attackers to affect availability via     vectors related to SERVER:SSL:yaSSL (bnc#915913).

  - CVE-2014-6505: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier, and 5.6.19 and earlier,     allowed remote authenticated users to affect     availability via vectors related to SERVER:MEMORY     STORAGE ENGINE (bnc#915913).

  - CVE-2014-6520: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier allowed remote authenticated     users to affect availability via vectors related to     SERVER:DDL (bnc#915913).

  - CVE-2014-6530: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier, and 5.6.19 and earlier,     allowed remote authenticated users to affect     confidentiality, integrity, and availability via vectors     related to CLIENT:MYSQLDUMP (bnc#915913).

  - CVE-2014-6551: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier and 5.6.19 and earlier allowed     local users to affect confidentiality via vectors     related to CLIENT:MYSQLADMIN (bnc#915913).

  - CVE-2015-0391: Unspecified vulnerability in Oracle MySQL     Server 5.5.38 and earlier, and 5.6.19 and earlier,     allowed remote authenticated users to affect     availability via vectors related to DDL (bnc#915913).

  - CVE-2014-4258: Unspecified vulnerability in the MySQL     Server component in Oracle MySQL 5.5.37 and earlier and     5.6.17 and earlier allowed remote authenticated users to     affect confidentiality, integrity, and availability via     vectors related to SRINFOSC (bnc#915914).

  - CVE-2014-4260: Unspecified vulnerability in the MySQL     Server component in Oracle MySQL 5.5.37 and earlier, and     5.6.17 and earlier, allowed remote authenticated users     to affect integrity and availability via vectors related     to SRCHAR (bnc#915914).

  - CVE-2014-2494: Unspecified vulnerability in the MySQL     Server component in Oracle MySQL 5.5.37 and earlier     allowed remote authenticated users to affect     availability via vectors related to ENARC (bnc#915914).

  - CVE-2014-4207: Unspecified vulnerability in the MySQL     Server component in Oracle MySQL 5.5.37 and earlier     allowed remote authenticated users to affect     availability via vectors related to SROPTZR     (bnc#915914).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The MySQL datebase server was updated to 5.5.42, fixing various bugs and security issues.

More information can be found on :

  -     http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-     42.html

  -     http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-     41.html

  -     http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-     40.html Also various issues with the mysql start script     were fixed. (bsc#868673,bsc#878779)

This update provides MariaDB 5.5.42, which fixes several security issues and other bugs. Please refer to the Oracle Critical Patch Update Advisories and the Release Notes for MariaDB for further information regarding the security vulnerabilities.

Additionally the jemalloc packages is being provided as it was previousely provided with the mariadb source code, built and used but removed from the mariadb source code since 5.5.40.

Update to 5.5.40

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.40. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details :

  -     https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5
    -39.html
  -     https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5
    -40.html

  -     http://www.oracle.com/technetwork/topics/security/cpuoct     2014-1972960.html

Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.h tml.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of MySQL installed on the remote host is older than 5.5.39 or 5.6.20, and is thus unpatched for vulnerabilities within the following components:

  - MyISAM temporary files, which may allow a local attacker to gain elevated privileges

   - yaSSL, which contains an off-by-one overflow condition that can be leveraged for remote code execution

  - MySQL admin password exposure after a password change

  - mysqldump, which contains an overflow condition that can result in denial of service

  - Replication, which may crash the database when handling overly large statements (versions 5.6.x only)

  - InnoDB, which may crash when performing a DELETE operation (versions 5.6.x only)

The version of MySQL installed on the remote host is version 5.6.x prior to 5.6.20. It is, therefore, affected by errors in the following components :

  - CLIENT:MYSQLADMIN
  - CLIENT:MYSQLDUMP
  - SERVER:CHARACTER SETS
  - SERVER:DML
  - SERVER:MEMORY STORAGE ENGINE
  - SERVER:MyISAM
  - SERVER:PRIVILEGES AUTHENTICATION PLUGIN API
  - SERVER:REPLICATION ROW FORMAT BINARY LOG DML
  - SERVER:SSL:OpenSSL
  - SERVER:SSL:yaSSL

The version of MySQL installed on the remote host is version 5.5.x prior to 5.5.39. It is, therefore, affected by errors in the following components :

  - CLIENT:MYSQLADMIN
  - CLIENT:MYSQLDUMP
  - SERVER:CHARACTER SETS
  - SERVER:DDL
  - SERVER:DML
  - SERVER:MEMORY STORAGE ENGINE
  - SERVER:MyISAM
  - SERVER:PRIVILEGES AUTHENTICATION PLUGIN API
  - SERVER:REPLICATION ROW FORMAT BINARY LOG DML
  - SERVER:SSL:yaSSL

ID	Name	Product	Family	Severity
129359	MariaDB 10.0.0 < 10.0.13 Multiple Vulnerabilities	Nessus	Databases	medium
129354	MariaDB 5.5.0 < 5.5.39 Multiple Vulnerabilities	Nessus	Databases	medium
91778	Juniper Junos Space < 15.1R1 Multiple Vulnerabilities (JSA10698)	Nessus	Junos Local Security Checks	critical
83716	SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2015:0743-1)	Nessus	SuSE Local Security Checks	high
82428	SuSE 11.3 Security Update : MySQL (SAT Patch Number 10387)	Nessus	SuSE Local Security Checks	high
82344	Mandriva Linux Security Advisory : mariadb (MDVSA-2015:091)	Nessus	Mandriva Local Security Checks	high
79671	Fedora 20 : mariadb-galera-5.5.40-2.fc20 (2014-14791)	Nessus	Fedora Local Security Checks	medium
78589	Debian DSA-3054-1 : mysql-5.5 - security update	Nessus	Debian Local Security Checks	high
78505	Ubuntu 12.04 LTS / 14.04 LTS : mysql-5.5 vulnerabilities (USN-2384-1)	Nessus	Ubuntu Local Security Checks	high
8386	Oracle MySQL 5.5.x < 5.5.39 / 5.6.x < 5.6.20 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium
77670	MySQL 5.6.x < 5.6.20 Multiple Vulnerabilities (October 2014 CPU)	Nessus	Databases	medium
77669	MySQL 5.5.x < 5.5.39 Multiple Vulnerabilities (October 2014 CPU)	Nessus	Databases	medium

CVE-2014-6495

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins