http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

93617

1037050

GLSA-201701-01

Oracle reports :

Local security vulnerability in 'Server: Packaging' sub component.

The remote host is affected by the vulnerability described in GLSA-201701-01 (MariaDB and MySQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MariaDB and MySQL.
      Please review the CVE identifiers referenced below for details.
  Impact :

    Attackers could execute arbitrary code, escalate privileges, and impact       availability via unspecified vectors.
  Workaround :

    There is no known workaround at this time.

The version of MySQL installed on the remote host is version 5.7.x prior to 5.7.15 and is affected by multiple issues :

 - A flaw exists related to the way 'REPAIR TABLE' uses temporary files.  This may allow an authenticated attacker to gain elevated privileges.
 - A flaw exists in InnoDB that is triggered during the handling of an operation that dropped and created a full-text search table.  This may allow an authenticated attacker to trigger an assertion and cause a denial of service.
 - A flaw exists in InnoDB that is triggered when accessing full-text search auxiliary tables while dropping the indexed table.  This may allow an authenticated attacker to trigger an assertion and cause a denial of service.
 - An overflow condition exists that is triggered as certain input is not properly validated when handling long integer values in 'MEDIUMINT' columns.  This may allow an authenticated attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - A flaw exists in the 'validate_password' plugin that is triggered as rejected passwords are logged in plaintext on the error log.  This may allow a local attacker to gain access to passwords that did not meet the password policy, but may potentially be very close to the password ultimately chosen and accepted.
 - A flaw exists in InnoDB that is triggered during the handling of an 'ALTER TABLE ... ENCRYPTION=Y, ALGORITHM=COPY' operation on a table residing in the system tablespace.  This may allow an authenticated attacker to crash the server.
 - An unspecified flaw exists related to the Optimizer subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-3492)
 - An unspecified flaw exists related to the InnoDB subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-5507)
 - An unspecified flaw exists related to the MyISAM subcomponent. This may allow a local attacker to gain elevated privileges. No further details have been provided by the vendor. (CVE-2016-5616)
 - An unspecified flaw exists related to the Error Handling subcomponent. This may allow a local attacker to gain elevated privileges. No further details have been provided by the vendor. (CVE-2016-5617)
 - An unspecified flaw exists related to the Packaging subcomponent. This may allow a local attacker to gain elevated privileges. No further details have been provided by the vendor. (CVE-2016-5625)
 - An unspecified flaw exists related to the GIS subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-5626)
 - An unspecified flaw exists related to the Federated subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-5629)
 - An unspecified flaw exists related to the Optimizer subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (2016-5632)
 - An unspecified flaw exists related to the Types subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-8283)
 - An unspecified flaw exists related to the Security: Privileges subcomponent. This may allow an authenticated remote attacker to disclose potentially sensitive information. No further details have been provided by the vendor. (CVE-2016-8286)

The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities :

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3492, CVE-2016-5632)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5507)

  - An unspecified flaw exists in the MyISAM subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-5616)

  - An unspecified flaw exists in the Error Handling     subcomponent that allows a local attacker to gain     elevated privileges. (CVE-2016-5617)

  - An unspecified flaw exists in the Packaging subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-5625)

  - An unspecified flaw exists in the GIS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5626)

  - An unspecified flaw exists in the Federated subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5629)

  - A flaw exists in the check_log_path() function within     file sql/sys_vars.cc due to inadequate restrictions on     the ability to write to the my.cnf configuration file     and allowing the loading of configuration files from     path locations not used by current versions. An     authenticated, remote attacker can exploit this issue     by using specially crafted queries that utilize logging     functionality to create new files or append custom     content to existing files. This allows the attacker to     gain root privileges by inserting a custom .cnf file     with a 'malloc_lib=' directive pointing to specially     crafted mysql_hookandroot_lib.so file and thereby cause     MySQL to load a malicious library the next time it is     started. (CVE-2016-6662)

  - An unspecified flaw exists that allows an authenticated,     remote attacker to bypass restrictions and create the     /var/lib/mysql/my.cnf file with custom contents without     the FILE privilege requirement. (CVE-2016-6663)     
  - An unspecified flaw exists in the Types subcomponent     that allows an authenticated, remote attacker to cause     a denial of service condition.(CVE-2016-8283)

  - An unspecified flaw exists in the Security: Privileges     subcomponent that allows an authenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-8286)

  - A flaw exists that is related to the use of temporary     files by REPAIR TABLE. An authenticated, remote attacker     can exploit this to gain elevated privileges.

  - A flaw exists in InnoDB when handling an operation that     dropped and created a full-text search table. An     authenticated, remote attacker can exploit this to     trigger an assertion, resulting in a denial of service     condition.

  - A flaw exists in InnoDB when accessing full-text     auxiliary tables while dropping the indexed table. An     authenticated, remote attacker can exploit this to     trigger an assertion, resulting in a denial of service     condition.

  - A buffer overflow condition exists when handling long     integer values in MEDIUMINT columns due to the improper     validation of certain input. An authenticated, remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.

  - An information disclosure vulnerability exists in the     validate_password plugin due to passwords that have been     rejected being written as plaintext to the error log. A     local attacker can exploit this to more easily guess     what passwords might have been chosen and accepted.

  - A flaw exists in InnoDB when handling an ALTER TABLE ...
    ENCRYPTION='Y', ALGORITHM=COPY operation that is applied     to a table in the system tablespace. An authenticated,     remote attacker can exploit this to trigger an     assertion, resulting in a denial of service condition.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
96514	FreeBSD : mysql -- multiple vulnerabilities (e5186c65-d729-11e6-a9a5-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	medium
96232	GLSA-201701-01 : MariaDB and MySQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
9618	Oracle MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities	Nessus Network Monitor	Database	high
93380	MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities	Nessus	Databases	high
93379	MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities	Nessus	Databases	high

CVE-2016-5625

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins