http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

97825

1038287

RHSA-2017:2886

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.55 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04 have been updated to MySQL 5.7.18.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618 .html.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of MySQL installed on the remote host is version 5.7.x prior to 5.7.18 and is affected by multiple issues :

 - An unspecified flaw exists related to the DML subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3308)
 - An unspecified flaw exists related to the Optimizer subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3309)
 - An unspecified flaw exists related to the Thread Pooling subcomponent. This may allow a remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3329)
 - An unspecified flaw exists related to the DML subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3331, CVE-2017-3456, CVE-2017-3457, CVE-2017-3458)
 - An unspecified flaw exists related to the Memcached subcomponent. This may allow a remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3450)
 - An unspecified flaw exists related to the Optimizer subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3452, CVE-2017-3453, CVE-2017-3459)
 - An unspecified flaw exists related to the InnoDB subcomponent. This may allow an authenticated attacker to have an impact on integrity and availability. No further details have been provided by the vendor. (CVE-2017-3454)
 - An unspecified flaw exists related to the Security: Privileges subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3455, CVE-2017-3461, CVE-2017-3462, CVE-2017-3463, CVE-2017-3465)
 - An unspecified flaw exists related to the Audit Plug-in subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3460)
 - An unspecified flaw exists related to the DDL subcomponent. This may allow an authenticated attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2017-3464)
 - An unspecified flaw exists related to the C API subcomponent. This may allow a remote attacker to gain access to potentially sensitive information. No further details have been provided by the vendor. (CVE-2017-3467)
 - An unspecified flaw exists related to the Security: Encryption subcomponent. This may allow an authenticated attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2017-3468)
 - An unspecified flaw exists related to the Pluggable Auth subcomponent. This may allow a remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2017-3599)
 - An unspecified flaw exists related to the Client mysqldump subcomponent. This may allow an authenticated attacker to potentially execute arbitrary code. No further details have been provided by the vendor. (CVE-2017-3600)

The version of MySQL running on the remote host is 5.7.x prior to 5.7.18. It is, therefore, affected by multiple vulnerabilities :

  - A carry propagation error exists in the OpenSSL     component in the Broadwell-specific Montgomery     multiplication procedure when handling input lengths     divisible by but longer than 256 bits. This can result     in transient authentication and key negotiation failures     or reproducible erroneous outcomes of public-key     operations with specially crafted input. A     man-in-the-middle attacker can possibly exploit this     issue to compromise ECDH key negotiations that utilize     Brainpool P-512 curves. (CVE-2016-7055)

  - Multiple unspecified flaws exist in the DML subcomponent     that allow an authenticated, remote attacker to cause a     denial of service condition. Note that CVE-2017-3331     only affects versions 5.7.11 to 5.7.17. (CVE-2017-3308,     CVE-2017-3331, CVE-2017-3456, CVE-2017-3457,     CVE-2017-3458)

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3309, CVE-2017-3453, CVE-2017-3459)

  - An unspecified flaw exists in the Thread Pooling     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3329)

  - An unspecified flaw exists in the Memcached subcomponent     that allows an unauthenticated, remote attacker to cause     a denial of service condition. (CVE-2017-3450)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to insert     and delete data contained in the database or cause a     denial of service condition. (CVE-2017-3454)

  - An unspecified flaw exists in the 'Security: Privileges'     subcomponent that allows an authenticated, remote     attacker to insert or delete data contained in the     database or disclose sensitive information.
    (CVE-2017-3455)

  - An unspecified flaw exists in the Audit Plug-in     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3460)

  - Multiple unspecified flaws exist in the     'Security: Privileges' subcomponent that allow an     authenticated, remote attacker to cause a denial of     service condition. (CVE-2017-3461, CVE-2017-3462,     CVE-2017-3463)

  - An unspecified flaw exists in the DDL subcomponent that     allows an authenticated, remote attacker to update,     insert, or delete data contained in the database.
    (CVE-2017-3464)

  - An unspecified flaw exists in the 'Security: Privileges'     subcomponent that allows an authenticated, remote     attacker to update, insert, or delete data contained in     the database. (CVE-2017-3465)

  - An unspecified flaw exists in the C API subcomponent     that allows an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2017-3467)

  - An unspecified flaw exists in the 'Security: Encryption'     subcomponent that allows an authenticated, remote     attacker to update, insert, or delete data contained in     the database. (CVE-2017-3468)

  - An unspecified flaw exists in the Pluggable Auth     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3599)

  - An unspecified flaw exists in the 'Client mysqldump'     subcomponent that allows an authenticated, remote     attacker to execute arbitrary code. (CVE-2017-3600)

  - An out-of-bounds read error exists in the OpenSSL     component when handling packets using the     CHACHA20/POLY1305 or RC4-MD5 ciphers. An     unauthenticated, remote attacker can exploit this, via     specially crafted truncated packets, to cause a denial     of service condition. (CVE-2017-3731)

  - A carry propagating error exists in the OpenSSL     component in the x86_64 Montgomery squaring     implementation that may cause the BN_mod_exp() function     to produce incorrect results. An unauthenticated, remote     attacker with sufficient resources can exploit this to     obtain sensitive information regarding private keys.
    (CVE-2017-3732)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MySQL running on the remote host is 5.7.x prior to 5.7.18. It is, therefore, affected by multiple vulnerabilities :

  - A carry propagation error exists in the OpenSSL     component in the Broadwell-specific Montgomery     multiplication procedure when handling input lengths     divisible by but longer than 256 bits. This can result     in transient authentication and key negotiation failures     or reproducible erroneous outcomes of public-key     operations with specially crafted input. A     man-in-the-middle attacker can possibly exploit this     issue to compromise ECDH key negotiations that utilize     Brainpool P-512 curves. (CVE-2016-7055)

  - Multiple unspecified flaws exist in the DML subcomponent     that allow an authenticated, remote attacker to cause a     denial of service condition. (CVE-2017-3308,     CVE-2017-3331, CVE-2017-3456, CVE-2017-3457,     CVE-2017-3458)

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3309, CVE-2017-3453, CVE-2017-3459)

  - An unspecified flaw exists in the Thread Pooling     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3329)

  - An unspecified flaw exists in the Memcached subcomponent     that allows an unauthenticated, remote attacker to cause     a denial of service condition. (CVE-2017-3450)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to insert     and delete data contained in the database or cause a     denial of service condition. (CVE-2017-3454)

  - An unspecified flaw exists in the 'Security: Privileges'     subcomponent that allows an authenticated, remote     attacker to insert or delete data contained in the     database or disclose sensitive information.
    (CVE-2017-3455)

  - An unspecified flaw exists in the Audit Plug-in     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3460)

  - Multiple unspecified flaws exist in the     'Security: Privileges' subcomponent that allow an     authenticated, remote attacker to cause a denial of     service condition. (CVE-2017-3461, CVE-2017-3462,     CVE-2017-3463)

  - An unspecified flaw exists in the DDL subcomponent that     allows an authenticated, remote attacker to update,     insert, or delete data contained in the database.
    (CVE-2017-3464)

  - An unspecified flaw exists in the 'Security: Privileges'     subcomponent that allows an authenticated, remote     attacker to update, insert, or delete data contained in     the database. (CVE-2017-3465)

  - An unspecified flaw exists in the C API subcomponent     that allows an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2017-3467)

  - An unspecified flaw exists in the 'Security: Encryption'     subcomponent that allows an authenticated, remote     attacker to update, insert, or delete data contained in     the database. (CVE-2017-3468)

  - An unspecified flaw exists in the Pluggable Auth     subcomponent that allows an unauthenticated, remote     attacker to cause a denial of service condition.
    (CVE-2017-3599)

  - An unspecified flaw exists in the 'Client mysqldump'     subcomponent that allows an authenticated, remote     attacker to execute arbitrary code. (CVE-2017-3600)

  - An out-of-bounds read error exists in the OpenSSL     component when handling packets using the     CHACHA20/POLY1305 or RC4-MD5 ciphers. An     unauthenticated, remote attacker can exploit this, via     specially crafted truncated packets, to cause a denial     of service condition. (CVE-2017-3731)

  - A carry propagating error exists in the OpenSSL     component in the x86_64 Montgomery squaring     implementation that may cause the BN_mod_exp() function     to produce incorrect results. An unauthenticated, remote     attacker with sufficient resources can exploit this to     obtain sensitive information regarding private keys.
    (CVE-2017-3732)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Oracle reports :

This Critical Patch Update contains 39 new security fixes for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

ID	Name	Product	Family	Severity
99723	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : mysql-5.5, mysql-5.7 vulnerabilities (USN-3269-1) (Riddle)	Nessus	Ubuntu Local Security Checks	high
700064	Oracle MySQL 5.7.x < 5.7.18 Multiple Vulnerabilities	Nessus Network Monitor	Database	high
99516	MySQL 5.7.x < 5.7.18 Multiple Vulnerabilities (April 2017 CPU) (July 2017 CPU)	Nessus	Databases	medium
99513	MySQL 5.7.x < 5.7.18 Multiple Vulnerabilities (April 2017 CPU) (July 2017 CPU)	Nessus	Databases	medium
99497	FreeBSD : MySQL -- multiple vulnerabilities (d9e01c35-2531-11e7-b291-b499baebfeaf) (Riddle)	Nessus	FreeBSD Local Security Checks	high

CVE-2017-3467

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins