mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.

The version of MariaDB installed on the remote host is prior to 10.1.21. It is, therefore, affected by multiple vulnerabilities as referenced in the mariadb-10-1-21-release-notes advisory.

  - mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB;
    Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB     Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-     based logging, allows local users with access to the mysql account to gain root privileges via a symlink     attack on error logs and possibly other files. (CVE-2016-6664)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported     versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily     exploitable vulnerability allows low privileged attacker with network access via multiple protocols to     compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5     (Availability impacts). (CVE-2017-3238)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported     versions that are affected are 5.5.53 and earlier. Difficult to exploit vulnerability allows high     privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful     attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable     crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.4 (Availability impacts). (CVE-2017-3243)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported     versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily     exploitable vulnerability allows low privileged attacker with network access via multiple protocols to     compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5     (Availability impacts). (CVE-2017-3244)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported     versions that are affected are 5.6.34 and earlier5.7.16 and earlier. Easily exploitable vulnerability     allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.
    Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
    (CVE-2017-3257)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported     versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily     exploitable vulnerability allows low privileged attacker with network access via multiple protocols to     compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5     (Availability impacts). (CVE-2017-3258)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported     versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to     exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server     executes to compromise MySQL Server. Successful attacks require human interaction from a person other than     the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data     or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and     Availability impacts). (CVE-2017-3265)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported     versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to     exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server     executes to compromise MySQL Server. Successful attacks require human interaction from a person other than     the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS v3.0     Base Score 6.3 (Confidentiality, Integrity and Availability impacts). (CVE-2017-3291)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported     versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to     exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server     executes to compromise MySQL Server. Successful attacks require human interaction from a person other than     the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS v3.0     Base Score 6.7 (Confidentiality, Integrity and Availability impacts). (CVE-2017-3312)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Logging). Supported versions     that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit     vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes     to compromise MySQL Server. Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.0 (Availability     impacts). (CVE-2017-3317)

  - Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling).
    Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier.
    Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where     MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a     person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access     to critical data or complete access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.0     (Confidentiality impacts). (CVE-2017-3318)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the mysql and mysqldump tools     did not correctly handle database and table names     containing newline characters. A database user with     privileges to create databases or tables could cause     the mysql command to execute arbitrary shell or SQL     commands while restoring database backup created using     the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)

  - A flaw was found in the way the mysqld_safe script     handled creation of error log file. The mysql operating     system user could use this flaw to escalate their     privileges to root. (CVE-2016-5617, CVE-2016-6664)

  - Multiple flaws were found in the way the MySQL init     script handled initialization of the database data     directory and permission setting on the error log file.
    The mysql operating system user could use these flaws     to escalate their privileges to root. (CVE-2017-3265)

  - It was discovered that the mysqld_safe script honored     the ledir option value set in a MySQL configuration     file. A user able to modify one of the MySQL     configuration files could use this flaw to escalate     their privileges to root. (CVE-2017-3291)

  - Multiple flaws were found in the way the mysqld_safe     script handled creation of error log file. The mysql     operating system user could use these flaws to escalate     their privileges to root. (CVE-2017-3312)

  - A flaw was found in the way MySQL client library     (libmysqlclient) handled prepared statements when     server connection was lost. A malicious server or a     man-in-the-middle attacker could possibly use this flaw     to crash an application using libmysqlclient.
    (CVE-2017-3302)

  - This update fixes several vulnerabilities in the     MariaDB database server. Information about these flaws     can be found on the Oracle Critical Patch Update     Advisory page, listed in the References section.
    (CVE-2017-3238, CVE-2017-3243, CVE-2017-3244,     CVE-2017-3258, CVE-2017-3308, CVE-2017-3309,     CVE-2017-3313, CVE-2017-3317, CVE-2017-3318,     CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for mariadb is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.

The following packages have been upgraded to a later upstream version:
mariadb (5.5.56). (BZ#1458933)

Security Fix(es) :

* It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)

* A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664)

* Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265)

* It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291)

* Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312)

* A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient.
(CVE-2017-3302)

* This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
(CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

The following packages have been upgraded to a later upstream version:
mariadb (5.5.56).

Security Fix(es) :

  - It was discovered that the mysql and mysqldump tools did     not correctly handle database and table names containing     newline characters. A database user with privileges to     create databases or tables could cause the mysql command     to execute arbitrary shell or SQL commands while     restoring database backup created using the mysqldump     tool. (CVE-2016-5483, CVE-2017-3600)

  - A flaw was found in the way the mysqld_safe script     handled creation of error log file. The mysql operating     system user could use this flaw to escalate their     privileges to root. (CVE-2016-5617, CVE-2016-6664)

  - Multiple flaws were found in the way the MySQL init     script handled initialization of the database data     directory and permission setting on the error log file.
    The mysql operating system user could use these flaws to     escalate their privileges to root. (CVE-2017-3265)

  - It was discovered that the mysqld_safe script honored     the ledir option value set in a MySQL configuration     file. A user able to modify one of the MySQL     configuration files could use this flaw to escalate     their privileges to root. (CVE-2017-3291)

  - Multiple flaws were found in the way the mysqld_safe     script handled creation of error log file. The mysql     operating system user could use these flaws to escalate     their privileges to root. (CVE-2017-3312)

  - A flaw was found in the way MySQL client library     (libmysqlclient) handled prepared statements when server     connection was lost. A malicious server or a     man-in-the-middle attacker could possibly use this flaw     to crash an application using libmysqlclient.
    (CVE-2017-3302)

(CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)

From Red Hat Security Advisory 2017:2192 :

An update for mariadb is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.

The following packages have been upgraded to a later upstream version:
mariadb (5.5.56). (BZ#1458933)

Security Fix(es) :

* It was discovered that the mysql and mysqldump tools did not correctly handle database and table names containing newline characters. A database user with privileges to create databases or tables could cause the mysql command to execute arbitrary shell or SQL commands while restoring database backup created using the mysqldump tool. (CVE-2016-5483, CVE-2017-3600)

* A flaw was found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use this flaw to escalate their privileges to root. (CVE-2016-5617, CVE-2016-6664)

* Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3265)

* It was discovered that the mysqld_safe script honored the ledir option value set in a MySQL configuration file. A user able to modify one of the MySQL configuration files could use this flaw to escalate their privileges to root. (CVE-2017-3291)

* Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root. (CVE-2017-3312)

* A flaw was found in the way MySQL client library (libmysqlclient) handled prepared statements when server connection was lost. A malicious server or a man-in-the-middle attacker could possibly use this flaw to crash an application using libmysqlclient.
(CVE-2017-3302)

* This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
(CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3308, CVE-2017-3309, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

This mariadb version update to 10.0.29 fixes the following issues :

  - CVE-2017-3318: unspecified vulnerability affecting Error     Handling (bsc#1020896)

  - CVE-2017-3317: unspecified vulnerability affecting     Logging (bsc#1020894)

  - CVE-2017-3312: insecure error log file handling in     mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)

  - CVE-2017-3291: unrestricted mysqld_safe's ledir     (bsc#1020884)

  - CVE-2017-3265: unsafe chmod/chown use in init script     (bsc#1020885)

  - CVE-2017-3258: unspecified vulnerability in the DDL     component (bsc#1020875)

  - CVE-2017-3257: unspecified vulnerability affecting     InnoDB (bsc#1020878)

  - CVE-2017-3244: unspecified vulnerability affecing the     DML component (bsc#1020877)

  - CVE-2017-3243: unspecified vulnerability affecting the     Charsets component (bsc#1020891)

  - CVE-2017-3238: unspecified vulnerability affecting the     Optimizer component (bsc#1020882)

  - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)

  - Applications using the client library for MySQL     (libmysqlclient.so) had a use-after-free issue that     could cause the applications to crash (bsc#1022428)

  - notable changes :

  - XtraDB updated to 5.6.34-79.1

  - TokuDB updated to 5.6.34-79.1

  - Innodb updated to 5.6.35

  - Performance Schema updated to 5.6.35

Release notes and changelog :

  - https://kb.askmonty.org/en/mariadb-10029-release-notes

  - https://kb.askmonty.org/en/mariadb-10029-changelog

This update was imported from the SUSE:SLE-12-SP1:Update update project.

The remote host is affected by the vulnerability described in GLSA-201702-18 (MariaDB: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MariaDB. Please review       the CVE identifiers referenced below for details.
  Impact :

    An attacker could possibly escalate privileges, gain access to critical       data or complete access to all MariaDB Server accessible data, or cause a       Denial of Service condition via unspecified vectors.
  Workaround :

    There is no known workaround at this time.

This mariadb version update to 10.0.29 fixes the following issues :

  - CVE-2017-3318: unspecified vulnerability affecting Error     Handling (bsc#1020896)

  - CVE-2017-3317: unspecified vulnerability affecting     Logging (bsc#1020894)

  - CVE-2017-3312: insecure error log file handling in     mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)

  - CVE-2017-3291: unrestricted mysqld_safe's ledir     (bsc#1020884)

  - CVE-2017-3265: unsafe chmod/chown use in init script     (bsc#1020885)

  - CVE-2017-3258: unspecified vulnerability in the DDL     component (bsc#1020875)

  - CVE-2017-3257: unspecified vulnerability affecting     InnoDB (bsc#1020878)

  - CVE-2017-3244: unspecified vulnerability affecing the     DML component (bsc#1020877)

  - CVE-2017-3243: unspecified vulnerability affecting the     Charsets component (bsc#1020891)

  - CVE-2017-3238: unspecified vulnerability affecting the     Optimizer component (bsc#1020882)

  - CVE-2016-6664: Root Privilege Escalation (bsc#1008253)

  - Applications using the client library for MySQL     (libmysqlclient.so) had a use-after-free issue that     could cause the applications to crash (bsc#1022428)

  - notable changes :

  - XtraDB updated to 5.6.34-79.1

  - TokuDB updated to 5.6.34-79.1

  - Innodb updated to 5.6.35

  - Performance Schema updated to 5.6.35 Release notes and     changelog :

  - https://kb.askmonty.org/en/mariadb-10029-release-notes

  - https://kb.askmonty.org/en/mariadb-10029-changelog

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This mysql version update to 5.5.54 fixes the following issues :

  - CVE-2017-3318: Unspecified vulnerability affecting Error     Handling (bsc#1020896)

  - CVE-2017-3317: Unspecified vulnerability affecting     Logging (bsc#1020894)

  - CVE-2017-3313: Unspecified vulnerability affecting the     MyISAM component (bsc#1020890)

  - CVE-2017-3312: Insecure error log file handling in     mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)

  - CVE-2017-3291: Unrestricted mysqld_safe's ledir     (bsc#1020884)

  - CVE-2017-3265: Unsafe chmod/chown use in init script     (bsc#1020885)

  - CVE-2017-3258: Unspecified vulnerability in the DDL     component (bsc#1020875)

  - CVE-2017-3244: Unspecified vulnerability affecing the     DML component (bsc#1020877)

  - CVE-2017-3243: Unspecified vulnerability affecting the     Charsets component (bsc#1020891)

  - CVE-2017-3238: Unspecified vulnerability affecting the     Optimizer component (bsc#1020882)

  - Applications using the client library for MySQL     (libmysqlclient.so) had a use-after-free issue that     could cause the applications to crash (bsc#1022428)     Release Notes:
    http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-     54.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MariaDB is a community-developed fork of the MySQL relational database. The version of MariaDB installed on the remote host is 10.1.x earlier than 10.1.21, and is therefore affected by multiple vulnerabilities :

 - A flaw exists in the 'merge_buffers()' function in 'sql/filesort.cc' that is triggered during the handling of 'sort_union' optimization.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Item_cache::safe_charset_converter()' function in 'sql/item.cc' that is triggered during the handling of a specially crafted subselect query item.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in 'scripts/mysqld_safe.sh' related to insecure use of certain shell utilities e.g. chown and rm when handling error log files.  This may allow a local attacker via a symlink attack to gain 'root' privileges.
 - An unspecified flaw exists related to the DDL subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the DML subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the InnoDB subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the 'Server:Optimizer' subcomponent. This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - A flaw exists in 'scripts/mysqld_safe.sh' related to handling of the '--ledir' command line option used to specify the directory where mysqld is stored, as this value may be read from the configuration file.  This may allow a local attacker to gain elevated privileges.
 - A flaw exists in the 'packaging/rpm-oel/mysql.init' initialization script related to insecure use of the chown and chmod utilities.  This may allow a local attacker to potentially gain 'root' privileges.
 - An unspecified flaw exists related to the Logging subcomponent.  This may allow a local attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the Error Handling subcomponent.  This may allow a local attacker to gain access to sensitive information.  No further details have been provided by the vendor.
 - An out-of-bounds access flaw exists in the 'Item_partition_func_safe_string()' function in 'sql/item.h' that is triggered during the handling of 'information_schema.processlist' tables.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Table_triggers_list::prepare_record_accessors()' function in 'sql/sql_trigger.cc' that is triggered during the handling of a specially crafted table.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'handle_if_exists_options()' function in 'sql/sql_table.cc' that is triggered during the handling of a specially crafted 'ADD FOREIGN KEY' statements.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Item::decimal_precision()' function in 'sql/item.cc' that is triggered during the handling of a 'SELECT' statement in a crafted query.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Field_time::store_TIME_with_warning()' function that is triggered when handling a specially crafted 'INSERT' query. This may allow an authenticated attacker to crash the database.

The version of MariaDB installed on the remote host is 10.0.x prior to 10.0.29, and is affected by multiple vulnerabilities :

 - A flaw exists in the 'check_duplicate_key()' function that is triggered during the handling of error messages.  This may allow an authenticated attacker to crash the database.  Depending on the database's implementation, it varies if this vulnerability requires authenticated access (e.g. daily DBA duties) or may be exploited by a remote attacker (e.g. interfaced via a web application).
 - A flaw exists in the 'JOIN::destroy()' function in 'sql/sql_select.cc' that is triggered during the handling of a specially crafted query.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'date_add_interval()' function in 'sql/sql_time.cc' that is triggered during the handling of INTERVAL arguments.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in 'sql/item_subselect.cc' that is triggered during the handling of queries from the select/unit tree.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Item::check_well_formed_result()' function in 'sql/item.cc' that is triggered during the handling of row validation.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'lex_one_token()' function in 'sql/sql_lex.cc' that is triggered during the handling of a specially crafted query.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'merge_buffers()' function in 'sql/filesort.cc' that is triggered during the handling of 'sort_union' optimization.  This may allow an authenticated attacker to crash the database. 
 - A flaw exists in the 'Item_cache::safe_charset_converter()' function in 'sql/item.cc' that is triggered during the handling of a specially crafted subselect query item.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in 'scripts/mysqld_safe.sh' related to insecure use of certain shell utilities e.g. chown and rm when handling error log files.  This may allow a local attacker via a symlink attack to gain 'root' privileges.
 - An unspecified flaw exists related to the DDL subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the DML subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the InnoDB subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the 'Server:Optimizer' subcomponent. This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - A flaw exists in 'scripts/mysqld_safe.sh' related to handling of the '--ledir' command line option used to specify the directory where mysqld is stored, as this value may be read from the configuration file.  This may allow a local attacker to gain elevated privileges.
 - A flaw exists in the 'packaging/rpm-oel/mysql.init' initialization script related to insecure use of the chown and chmod utilities.  This may allow a local attacker to potentially gain 'root' privileges.
 - An unspecified flaw exists related to the Logging subcomponent.  This may allow a local attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the Error Handling subcomponent.  This may allow a local attacker to gain access to sensitive information.  No further details have been provided by the vendor.
 - A flaw exists in the 'handle_if_exists_options()' function in 'sql/sql_table.cc' that is triggered during the handling of a specially crafted 'ADD FOREIGN KEY' statements.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'handle_if_exists_options()' function in 'sql/sql_table.cc' that is triggered due to missing foreign keys in a second 'ALTER TABLE' statement.  This may allow an authenticated attacker to crash the database.

MariaDB is a community-developed fork of the MySQL relational database.  The version of MariaDB installed on the remote host is 5.5.x earlier than 5.5.54, and is therefore affected by multiple vulnerabilities :

 - A flaw exists in 'scripts/mysqld_safe.sh' that is triggered when handling arguments to 'malloc-lib'.  This may allow a local attacker to potentially gain elevated privileges.
 - A flaw exists in 'sql/item_subselect.cc' that is triggered during the handling of queries from the select/unit tree.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Item::check_well_formed_result()' function in 'sql/item.cc' that is triggered during the handling of row validation.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Rpl_filter::parse_filter_rule()' function in 'sql/rpl_filter.cc' that is triggered during the clearing of wildcards.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'lex_one_token()' function in 'sql/sql_lex.cc' that is triggered during the handling of a specially crafted query.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'merge_buffers()' function in 'sql/filesort.cc' that is triggered during the handling of 'sort_union' optimization.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'Item_cache::safe_charset_converter()' function in 'sql/item.cc' that is triggered during the handling of a specially crafted subselect query item.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'st_select_lex::is_merged_child_of()' function in 'sql/sql_lex.cc' that is triggered when handling merged views or derived tables.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in 'sql/item.cc' that is triggered during the handling of a specially crafted subquery.  This may allow an authenticated attacker to crash the database.
 - A flaw exists in 'scripts/mysqld_safe.sh' related to insecure use of certain shell utilities e.g. chown and rm when handling error log files.  This may allow a local attacker via a symlink attack to gain 'root' privileges.
 - An unspecified flaw exists related to the DDL subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the DML subcomponent.  This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the 'Server:Optimizer' subcomponent. This may allow an authenticated attacker to cause a denial of service.  No further details have been provided by the vendor.
 - A flaw exists in 'scripts/mysqld_safe.sh' related to handling of the '--ledir' command line option used to specify the directory where mysqld is stored, as this value may be read from the configuration file.  This may allow a local attacker to gain elevated privileges.
 - A flaw exists in the 'packaging/rpm-oel/mysql.init' initialization script related to insecure use of the chown and chmod utilities.  This may allow a local attacker to potentially gain 'root' privileges.
 - An unspecified flaw exists related to the Logging subcomponent.  This may allow a local attacker to cause a denial of service.  No further details have been provided by the vendor.
 - An unspecified flaw exists related to the Error Handling subcomponent.  This may allow a local attacker to gain access to sensitive information.  No further details have been provided by the vendor.

Several issues have been discovered in the MariaDB database server.
The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.29. Please see the MariaDB 10.0 Release Notes for further details :

  -     https://mariadb.com/kb/en/mariadb/mariadb-10029-release-     notes/

New mariadb packages are available for Slackware 14.1, 14.2, and
-current to fix security issues.

The MySQL project reports :

- CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer' sub component.

- CVE-2016-5616, CVE-2016-6663: Race condition allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.

- CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.

- CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub component.

- CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub component.

- CVE-2016-5629: Remote security vulnerability in 'Server: Federated' sub component.

- CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub component.

The version of MariaDB running on the remote host is 5.5.x prior to 5.5.54. It is, therefore, affected by multiple vulnerabilities :

  - A privilege escalation vulnerability exists in     scripts/mysqld_safe.sh due to improper handling of     arguments to malloc-lib. A local attacker can exploit     this, via a symlink attack on error logs, to gain root     privileges. (CVE-2016-6664)

  - A denial of service vulnerability exists in     sql/item_subselect.cc due to improper handling of     queries from the select/unit tree. An authenticated,     remote attacker can exploit this to crash the database.

  - A denial of service vulnerability exists in the     check_well_formed_result() function in sql/item.cc due     to improper handling of row validation. An     authenticated, remote attacker can exploit this to crash     the database.

  - A denial of service vulnerability exists in the     parse_filter_rule() function in sql/rpl_filter.cc     that is triggered during the clearing of wildcards. An     authenticated, remote attacker can exploit this to crash     the database.

  - A denial of service vulnerability exists in the     safe_charset_converter() function in sql/item.cc due to     improper handling of a specially crafted subselect query     item. An authenticated, remote attacker can exploit this     to crash the database.

  - A denial of service vulnerability exists in the     st_select_lex::is_merged_child_of() function in     sql/sql_lex.cc due to improper handling of merged views     or derived tables. An authenticated, remote attacker can     exploit this to crash the database.

  - A denial of service vulnerability exists in sql/item.cc     due to improper handling of a specially crafted     subquery. An authenticated, remote attacker can exploit     this to crash the database.

The version of MariaDB running on the remote host is 10.0.x prior to 10.0.29. It is, therefore, affected by multiple vulnerabilities :

  - A privilege escalation vulnerability exists in     scripts/mysqld_safe.sh due to improper handling of     arguments to malloc-lib. A local attacker can exploit     this, via a symlink attack on error logs, to gain root     privileges. (CVE-2016-6664)

  - A denial of service vulnerability exists in the     check_duplicate_key() function due to improper handling     of error messages. An authenticated, remote attacker can     exploit this to crash the database.

  - A denial of service vulnerability exists in the     destroy() function in sql/sql_select.cc due to improper     handling of a specially crafted query. An authenticated,     remote attacker can exploit this to crash the database.

  - A denial of service vulnerability exists in the     date_add_interval() function in sql/sql_time.cc due to     improper handling of INTERVAL arguments. An     authenticated, remote attacker can exploit this to crash     the database.

  - A denial of service vulnerability exists in     sql/item_subselect.cc due to improper handling of     queries from the select/unit tree. An authenticated,     remote attacker can exploit this to crash the database.

  - A denial of service vulnerability exists in the     check_well_formed_result() function in sql/item.cc due     to improper handling of row validation. An     authenticated, remote attacker can exploit this to crash     the database.

  - A denial of service vulnerability exists in the     safe_charset_converter() function in sql/item.cc due to     improper handling of a specially crafted subselect query     item. An authenticated, remote attacker can exploit this     to crash the database.

The version of MariaDB installed on the remote host is 10.0.x prior to 10.0.28, and is affected by multiple vulnerabilities :

 - An unspecified flaw may allow an authenticated attacker to bypass restrictions and create the '/var/lib/mysql/my.cnf' file with custom contents without the FILE privilege requirement.
 - A flaw in the C software version of AES Encryption and Decryption is triggered as table lookups do not properly consider cache-bank access times. This may allow a local user to disclose AES keys via a specially crafted application.
 - An unspecified flaw exists related to the MyISAM subcomponent. This may allow a local attacker to gain elevated privileges. No further details have been provided by the vendor.
 - An unspecified flaw exists related to the DML subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor.
 - An unspecified flaw exists related to the GIS subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor.
 - An unspecified flaw exists related to the Optimizer subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor.
 - An unspecified flaw exists related to the Federated subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor.
 - An unspecified flaw exists related to the Security: Encryption subcomponent. This may allow an authenticated remote attacker to disclose potentially sensitive information. No further details have been provided by the vendor.
 - An unspecified flaw exists related to the Types subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor.
 - A flaw exists in the 'fill_alter_inplace_info()' function in 'sql/sql_table.cc' that is triggered when altering persistent virtual columns. This may allow an authenticated attacker to crash the database.
 - A flaw exists in the 'mysql_rm_table_no_locks()' function in 'sql/sql_table.cc' that is triggered during the handling of 'CREATE OR REPLACE TABLE' queries. This may allow an authenticated attacker to crash the database.
 - A flaw exists in 'scripts/mysqld_safe.sh' that is triggered when handling arguments to 'malloc-lib'.  This may allow a local attacker to potentially gain elevated privileges.  Note that CVE-2016-6664 is reportedly a duplicate assignment of CVE-2016-5617, which was assigned to this issue's manifestation in Oracle MySQL.

ID	Name	Product	Family	Severity
167880	MariaDB 10.1.0 < 10.1.21 Multiple Vulnerabilities	Nessus	Databases	high
103008	EulerOS 2.0 SP2 : mariadb (EulerOS-SA-2017-1170)	Nessus	Huawei Local Security Checks	high
103007	EulerOS 2.0 SP1 : mariadb (EulerOS-SA-2017-1169)	Nessus	Huawei Local Security Checks	high
102755	CentOS 7 : mariadb (CESA-2017:2192)	Nessus	CentOS Local Security Checks	high
102648	Scientific Linux Security Update : mariadb on SL7.x x86_64 (20170801)	Nessus	Scientific Linux Local Security Checks	high
102299	Oracle Linux 7 : mariadb (ELSA-2017-2192)	Nessus	Oracle Linux Local Security Checks	high
102152	RHEL 7 : mariadb (RHSA-2017:2192)	Nessus	Red Hat Local Security Checks	high
97277	openSUSE Security Update : mariadb (openSUSE-2017-257)	Nessus	SuSE Local Security Checks	high
97261	GLSA-201702-18 : MariaDB: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
97064	SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2017:0412-1)	Nessus	SuSE Local Security Checks	high
97063	SUSE SLES12 Security Update : mariadb (SUSE-SU-2017:0411-1)	Nessus	SuSE Local Security Checks	high
97046	SUSE SLES11 Security Update : mysql (SUSE-SU-2017:0408-1)	Nessus	SuSE Local Security Checks	high
9915	MariaDB Server 10.1.x < 10.1.21 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium
9912	MariaDB Server 10.0.x < 10.0.29 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium
9911	MariaDB Server 5.5.x < 5.5.54 Multiple Vulnerabilities	Nessus Network Monitor	Database	high
96669	Debian DSA-3770-1 : mariadb-10.0 - security update	Nessus	Debian Local Security Checks	high
96612	Slackware 14.1 / 14.2 / current : mariadb (SSA:2017-018-01)	Nessus	Slackware Local Security Checks	high
96510	FreeBSD : MySQL -- multiple vulnerabilities (22373c43-d728-11e6-a9a5-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	high
96489	MariaDB 5.5.x < 5.5.54 Multiple Vulnerabilities	Nessus	Databases	high
96486	MariaDB 10.0.x < 10.0.29 Multiple Vulnerabilities	Nessus	Databases	high
9752	MariaDB Server 10.0.x < 10.0.28 Multiple Vulnerabilities	Nessus Network Monitor	Database	high

Detections

Analytics

CVE-2016-6664

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

medium

medium

high

high

high

high

high

high

high