RHSA-2016:1601

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

93740

1037050

GLSA-201701-01

The remote host is affected by the vulnerability described in GLSA-201701-01 (MariaDB and MySQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MariaDB and MySQL.
      Please review the CVE identifiers referenced below for details.
  Impact :

    Attackers could execute arbitrary code, escalate privileges, and impact       availability via unspecified vectors.
  Workaround :

    There is no known workaround at this time.

mysql-community-server was updated to 5.6.34 to fix the following issues :

  - Changes     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     34.html     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     33.html     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     32.html     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     31.html

  - fixed CVEs: CVE-2016-6304, CVE-2016-6662, CVE-2016-7440,     CVE-2016-5584, CVE-2016-5617, CVE-2016-5616,     CVE-2016-5626, CVE-2016-3492, CVE-2016-5629,     CVE-2016-5507, CVE-2016-8283, CVE-2016-5609,     CVE-2016-5612, CVE-2016-5627, CVE-2016-5630,     CVE-2016-8284, CVE-2016-8288, CVE-2016-3477,     CVE-2016-2105, CVE-2016-3486, CVE-2016-3501,     CVE-2016-3521, CVE-2016-3615, CVE-2016-3614,     CVE-2016-3459, CVE-2016-5439, CVE-2016-5440

  - fixes SUSE Bugs: [boo#999666], [boo#998309],     [boo#1005581], [boo#1005558], [boo#1005563],     [boo#1005562], [boo#1005566], [boo#1005555],     [boo#1005569], [boo#1005557], [boo#1005582],     [boo#1005560], [boo#1005561], [boo#1005567],     [boo#1005570], [boo#1005583], [boo#1005586],     [boo#989913], [boo#977614], [boo#989914], [boo#989915],     [boo#989919], [boo#989922], [boo#989921], [boo#989911],     [boo#989925], [boo#989926]

  - append '--ignore-db-dir=lost+found' to the mysqld     options in 'mysql-systemd-helper' script if 'lost+found'     directory is found in $datadir [boo#986251] 

  - remove syslog.target from *.service files [boo#983938]

  - add systemd to deps to build on leap and friends 

  - replace '%(_libexecdir)/systemd/system' with %(_unitdir)     macro

  - remove useless mysql@default.service [boo#971456]

  - replace all occurrences of the string '@sysconfdir@'     with '/etc' in     mysql-community-server-5.6.3-logrotate.patch as it     wasn't expanded properly [boo#990890]

  - remove '%define _rundir' as 13.1 is out of support scope

  - run 'usermod -g mysql mysql' only if mysql user is not     in mysql group. Run 'usermod -s /bin/false/ mysql' only     if mysql user doesn't have '/bin/false' shell set.

  - re-enable mysql profiling

The version of MySQL installed on the remote host is version 5.7.x prior to 5.7.13 and is affected by multiple issues :

 - Multiple flaws exist in InnoDB that are triggered when handling specially crafted 'ALTER TABLE' operations.  This may allow an authenticated attacker to potentially crash the database.
 - Multiple unspecified overflow conditions exist that are triggered as user-supplied input is not properly validated.  This may allow an authenticated attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - A NULL pointer dereference flaw exists in a parser structure that is triggered during the validation of stored procedure names.  This may allow an authenticated attacker to potentially cause the database to crash.
 - Multiple unspecified overflow conditions exist in the InnoDB memcached plugin that are triggered as user-supplied input is not properly validated.  This may allow an authenticated attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - A flaw exists that is triggered when invoking Enterprise Encryption functions in multiple threads simultaneously or after creating and dropping them.  This may allow an authenticated attacker to potentially crash the database.
 - A flaw exists that is triggered when handling a 'SELECT ... GROUP BY ... FOR UPDATE' query executed with a Loose Index Scan. This may allow an authenticated attacker to potentially crash the database.
 - A flaw exists that is triggered when performing a 'FLUSH TABLES' operation on a table with a discarded tablespace.  This may potentially allow an authenticated attacker to cause the database to crash.
 - A flaw exists in InnoDB that is triggered when performing an 'OPTIMIZE TABLE' operation on a table with a full-text index.  This may allow an authenticated attacker to crash the database.
 - A flaw exists that is triggered when performing an 'UPDATE' operation on a generated virtual BLOB column.  This may potentially allow an authenticated attacker to cause the database to crash.
 - A flaw exists that is triggered when performing a 'SHOW CREATE TABLE' operation on a table with a generated column.  This may potentially allow an authenticated attacker to cause the database to crash.
 - An unspecified flaw exists related to the InnoDB Plugin subcomponent. This may allow an authenticated remote attacker to have an impact on integrity. No further details have been provided by the vendor.

The version of MySQL installed on the remote host is version 5.6.x prior to 5.6.31 and is affected by multiple issues :

 - Multiple unspecified overflow conditions exist that are triggered as user-supplied input is not properly validated.  This may allow an authenticated attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - A NULL pointer dereference flaw exists in a parser structure that is triggered during the validation of stored procedure names.  This may allow an authenticated attacker to potentially cause the database to crash.
 - Multiple unspecified overflow conditions exist in the InnoDB memcached plugin that are triggered as user-supplied input is not properly validated.  This may allow an authenticated attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - A flaw exists that is triggered when invoking Enterprise Encryption functions in multiple threads simultaneously or after creating and dropping them.  This may allow an authenticated attacker to potentially crash the database.
 - A flaw exists that is triggered when handling a 'SELECT ... GROUP BY ... FOR UPDATE' query executed with a Loose Index Scan.  This may allow an authenticated attacker to potentially crash the database.
 - An unspecified flaw exists related to the InnoDB Plugin subcomponent. This may allow an authenticated remote attacker to have an impact on integrity. No further details have been provided by the vendor.

The version of MySQL running on the remote host is 5.7.x prior to 5.7.13. It is, therefore, affected by multiple vulnerabilities :

  - A heap buffer overflow condition exists in the     EVP_EncodeUpdate() function within file     crypto/evp/encode.c that is triggered when handling     a large amount of input data. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2016-2105)

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3424, CVE-2016-3440, CVE-2016-3501,     CVE-2016-3518)

  - An unspecified flaw exists in the Security: Encryption     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-3452)

  - Multiple unspecified flaws exist in the InnoDB     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3459, CVE-2016-5436)

  - An unspecified flaw exists in the Parser subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-3477)

  - An unspecified flaw exists in the FTS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3486)

  - An unspecified flaw exists in the Types subcomponent     that allows an authenticated, remote attacker to cause     a denial of service condition. (CVE-2016-3521)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to impact     integrity and confidentiality. (CVE-2016-3588)

  - Multiple unspecified flaws exist in the Security:
    Encryption subcomponent that allow an authenticated,     remote attacker to cause a denial of service condition.
    (CVE-2016-3614, CVE-2016-5442)

  - An unspecified flaw exists in the DML subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3615)

  - An unspecified flaw exists in the Log subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5437)

  - An unspecified flaw exists in the Privileges     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-5439)

  - An unspecified flaw exists in the RBR subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5440)

  - An unspecified flaw exists in the Replication     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-5441)

  - An unspecified flaw exists in the Connection     subcomponent that allows a local attacker to cause a     denial of service condition. (CVE-2016-5443)

  - An unspecified flaw exists in the Connection     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-5444)

  - An unspecified flaw exists in the InnoDB Plugin     subcomponent that allows an authenticated, remote     attacker to impact integrity. (CVE-2016-8288)

  - Multiple flaws exist in InnoDB that are triggered when     handling specially crafted 'ALTER TABLE' operations. An     authenticated, remote attacker can exploit these issues     to crash the database, resulting in a denial of service     condition.

  - Multiple overflow conditions exist due to improper     validation of user-supplied input. An authenticated,     remote attacker can exploit these issues to cause a     denial of service condition or the execution of     arbitrary code.

  - A NULL pointer dereference flaw exists in a parser     structure that is triggered during the validation of     stored procedure names. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - Multiple overflow conditions exist in the InnoDB     memcached plugin due to improper validation of     user-supplied input. An authenticated, remote attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code.

  - An unspecified flaw exists that is triggered when     invoking Enterprise Encryption functions in multiple     threads simultaneously or after creating and dropping     them. An authenticated, remote attacker can exploit this     to crash the database, resulting in a denial of service     condition.

  - An unspecified flaw exists that is triggered when     handling a 'SELECT ... GROUP BY ... FOR UPDATE' query     executed with a loose index scan. An authenticated,     remote attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - An unspecified flaw exists that is triggered when     performing a 'FLUSH TABLES' operation on a table with a     discarded tablespace. An authenticated, remote attacker     can exploit this to crash the database, resulting in a     denial of service condition.

  - A flaw exists in InnoDB that is triggered when     performing an 'OPTIMIZE TABLE' operation on a table with     a full-text index. An authenticated, remote attacker can     exploit this to crash the database, resulting in a     denial of service condition.

  - An unspecified flaw exists that is triggered when     performing an UPDATE operation on a generated virtual     BLOB column. An authenticated, remote attacker can     exploit this to crash the database, resulting in a     denial of service condition.

  - An unspecified flaw exists that is triggered when     performing a 'SHOW CREATE TABLE' operation on a table     with a generated column. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MySQL running on the remote host is 5.6.x prior to 5.6.31. It is, therefore, affected by multiple vulnerabilities :

  - A heap buffer overflow condition exists in the     EVP_EncodeUpdate() function within file     crypto/evp/encode.c that is triggered when handling     a large amount of input data. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2016-2105)

  - An unspecified flaw exists in the Security: Encryption     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-3452)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3459)

  - An unspecified flaw exists in the Options subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-3471)

  - An unspecified flaw exists in the Parser subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-3477)

  - An unspecified flaw exists in the FTS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3486)

  - An unspecified flaw exists in the Optimizer subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3501)

  - An unspecified flaw exists in the Types subcomponent     that allows an authenticated, remote attacker to cause     a denial of service condition. (CVE-2016-3521)

  - An unspecified flaw exists in the Security: Encryption     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3614)

  - An unspecified flaw exists in the DML subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3615)

  - An unspecified flaw exists in the Privileges     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-5439)

  - An unspecified flaw exists in the RBR subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5440)

  - An unspecified flaw exists in the Connection     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-5444)

  - An unspecified flaw exists in the InnoDB Plugin     subcomponent that allows an authenticated, remote     attacker to impact integrity. (CVE-2016-8288)

  - Multiple overflow conditions exist due to improper     validation of user-supplied input. An authenticated,     remote attacker can exploit these issues to cause a     denial of service condition or the execution of     arbitrary code.

  - A NULL pointer dereference flaw exists in a parser     structure that is triggered during the validation of     stored procedure names. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - Multiple overflow conditions exist in the InnoDB     memcached plugin due to improper validation of     user-supplied input. An authenticated, remote attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code.

  - An unspecified flaw exists that is triggered when     invoking Enterprise Encryption functions in multiple     threads simultaneously or after creating and dropping     them. An authenticated, remote attacker can exploit this     to crash the database, resulting in a denial of service     condition.

  - An unspecified flaw exists that is triggered when     handling a 'SELECT ... GROUP BY ... FOR UPDATE' query     executed with a loose index scan. An authenticated,     remote attacker can exploit this to crash the database,     resulting in a denial of service condition.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
96232	GLSA-201701-01 : MariaDB and MySQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
94756	openSUSE Security Update : mysql-community-server (openSUSE-2016-1289)	Nessus	SuSE Local Security Checks	critical
94694	openSUSE Security Update : mysql-community-server (openSUSE-2016-1283)	Nessus	SuSE Local Security Checks	critical
9616	Oracle MySQL 5.7.x < 5.7.13 Multiple Vulnerabilities	Nessus Network Monitor	Database	high
9612	Oracle MySQL 5.6.x < 5.6.31 Multiple Vulnerabilities	Nessus Network Monitor	Database	high
91997	MySQL 5.7.x < 5.7.13 Multiple Vulnerabilities	Nessus	Databases	medium
91995	MySQL 5.6.x < 5.6.31 Multiple Vulnerabilities	Nessus	Databases	high
91998	Oracle MySQL 5.7.x < 5.7.13 Multiple Vulnerabilities	Nessus	Databases	medium
91996	Oracle MySQL 5.6.x < 5.6.31 Multiple Vulnerabilities	Nessus	Databases	high

CVE-2016-8288

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins