http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

106622

RHSA-2019:2484

RHSA-2019:2511

https://security.netapp.com/advisory/ntap-20190118-0002/

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:2511 advisory.

  - mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) (CVE-2019-2420, CVE-2019-2481,     CVE-2019-2507, CVE-2019-2529, CVE-2019-2530)

  - mysql: Server: Parser unspecified vulnerability (CPU Jan 2019) (CVE-2019-2434, CVE-2019-2455)

  - mysql: Server: Replication unspecified vulnerability (CPU Jan 2019) (CVE-2019-2436, CVE-2019-2531,     CVE-2019-2534)

  - mysql: Server: PS unspecified vulnerability (CPU Jan 2019) (CVE-2019-2482)

  - mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2019) (CVE-2019-2486,     CVE-2019-2532, CVE-2019-2533)

  - mysql: Server: DDL unspecified vulnerability (CPU Jan 2019) (CVE-2019-2494, CVE-2019-2495, CVE-2019-2537)

  - mysql: InnoDB unspecified vulnerability (CPU Jan 2019) (CVE-2019-2502, CVE-2019-2510)

  - mysql: Server: Connection Handling unspecified vulnerability (CPU Jan 2019) (CVE-2019-2503)

  - mysql: Server: Partition unspecified vulnerability (CPU Jan 2019) (CVE-2019-2528)

  - mysql: Server: Options unspecified vulnerability (CPU Jan 2019) (CVE-2019-2535)

  - mysql: Server: Packaging unspecified vulnerability (CPU Jan 2019) (CVE-2019-2536)

  - mysql: Server: Connection unspecified vulnerability (CPU Jan 2019) (CVE-2019-2539)

  - mysql: InnoDB unspecified vulnerability (CPU Apr 2019) (CVE-2019-2580, CVE-2019-2585, CVE-2019-2593,     CVE-2019-2624, CVE-2019-2628)

  - mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2019) (CVE-2019-2581, CVE-2019-2596,     CVE-2019-2607, CVE-2019-2625, CVE-2019-2681, CVE-2019-2685, CVE-2019-2686, CVE-2019-2687, CVE-2019-2688,     CVE-2019-2689, CVE-2019-2693, CVE-2019-2694, CVE-2019-2695)

  - mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2019) (CVE-2019-2584,     CVE-2019-2589, CVE-2019-2606, CVE-2019-2620, CVE-2019-2627)

  - mysql: Server: Partition unspecified vulnerability (CPU Apr 2019) (CVE-2019-2587)

  - mysql: Server: PS unspecified vulnerability (CPU Apr 2019) (CVE-2019-2592)

  - mysql: Server: Replication unspecified vulnerability (CPU Apr 2019) (CVE-2019-2614, CVE-2019-2617,     CVE-2019-2630, CVE-2019-2634, CVE-2019-2635)

  - mysql: Server: Options unspecified vulnerability (CPU Apr 2019) (CVE-2019-2623, CVE-2019-2683)

  - mysql: Server: DDL unspecified vulnerability (CPU Apr 2019) (CVE-2019-2626, CVE-2019-2644)

  - mysql: Server: Information Schema unspecified vulnerability (CPU Apr 2019) (CVE-2019-2631)

  - mysql: Server: Group Replication Plugin unspecified vulnerability (CPU Apr 2019) (CVE-2019-2636)

  - mysql: Server: Security: Roles unspecified vulnerability (CPU Apr 2019) (CVE-2019-2691)

  - mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2019) (CVE-2019-2737)

  - mysql: Server: Compiling unspecified vulnerability (CPU Jul 2019) (CVE-2019-2738)

  - mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2019) (CVE-2019-2739,     CVE-2019-2778, CVE-2019-2789, CVE-2019-2811)

  - mysql: Server: XML unspecified vulnerability (CPU Jul 2019) (CVE-2019-2740)

  - mysql: Server: Options unspecified vulnerability (CPU Jul 2019) (CVE-2019-2752)

  - mysql: Server: Replication unspecified vulnerability (CPU Jul 2019) (CVE-2019-2755, CVE-2019-2800)

  - mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2019) (CVE-2019-2757, CVE-2019-2774,     CVE-2019-2796, CVE-2019-2802, CVE-2019-2803, CVE-2019-2808, CVE-2019-2810, CVE-2019-2812, CVE-2019-2815,     CVE-2019-2830, CVE-2019-2834)

  - mysql: InnoDB unspecified vulnerability (CPU Jul 2019) (CVE-2019-2758, CVE-2019-2785, CVE-2019-2798,     CVE-2019-2814, CVE-2019-2879)

  - mysql: Server: Components / Services unspecified vulnerability (CPU Jul 2019) (CVE-2019-2780)

  - mysql: Server: DML unspecified vulnerability (CPU Jul 2019) (CVE-2019-2784)

  - mysql: Server: Charsets unspecified vulnerability (CPU Jul 2019) (CVE-2019-2795)

  - mysql: Client programs unspecified vulnerability (CPU Jul 2019) (CVE-2019-2797)

  - mysql: Server: FTS unspecified vulnerability (CPU Jul 2019) (CVE-2019-2801)

  - mysql: Server: Parser unspecified vulnerability (CPU Jul 2019) (CVE-2019-2805)

  - mysql: Server: Security: Audit unspecified vulnerability (CPU Jul 2019) (CVE-2019-2819)

  - mysql: Server: Security: Roles unspecified vulnerability (CPU Jul 2019) (CVE-2019-2826)

  - mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2019) (CVE-2019-2948, CVE-2019-2950)

  - mysql: Client programs unspecified vulnerability (CPU Oct 2019) (CVE-2019-2969)

  - mysql: InnoDB unspecified vulnerability (CPU Oct 2019) (CVE-2019-3003)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for the mysql:8.0 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.

The following packages have been upgraded to a later upstream version:
mysql (8.0.17).

Security Fix(es) :

* mysql: Server: Replication multiple unspecified vulnerabilities (CVE-2019-2800, CVE-2019-2436, CVE-2019-2531, CVE-2019-2534, CVE-2019-2614, CVE-2019-2617, CVE-2019-2630, CVE-2019-2634, CVE-2019-2635, CVE-2019-2755)

* mysql: Server: Optimizer multiple unspecified vulnerabilities (CVE-2019-2420, CVE-2019-2481, CVE-2019-2507, CVE-2019-2529, CVE-2019-2530, CVE-2019-2581, CVE-2019-2596, CVE-2019-2607, CVE-2019-2625, CVE-2019-2681, CVE-2019-2685, CVE-2019-2686, CVE-2019-2687, CVE-2019-2688, CVE-2019-2689, CVE-2019-2693, CVE-2019-2694, CVE-2019-2695, CVE-2019-2757, CVE-2019-2774, CVE-2019-2796, CVE-2019-2802, CVE-2019-2803, CVE-2019-2808, CVE-2019-2810, CVE-2019-2812, CVE-2019-2815, CVE-2019-2830, CVE-2019-2834)

* mysql: Server: Parser multiple unspecified vulnerabilities (CVE-2019-2434, CVE-2019-2455, CVE-2019-2805)

* mysql: Server: PS multiple unspecified vulnerabilities (CVE-2019-2482, CVE-2019-2592)

* mysql: Server: Security: Privileges multiple unspecified vulnerabilities (CVE-2019-2486, CVE-2019-2532, CVE-2019-2533, CVE-2019-2584, CVE-2019-2589, CVE-2019-2606, CVE-2019-2620, CVE-2019-2627, CVE-2019-2739, CVE-2019-2778, CVE-2019-2811, CVE-2019-2789)

* mysql: Server: DDL multiple unspecified vulnerabilities (CVE-2019-2494, CVE-2019-2495, CVE-2019-2537, CVE-2019-2626, CVE-2019-2644)

* mysql: InnoDB multiple unspecified vulnerabilities (CVE-2019-2502, CVE-2019-2510, CVE-2019-2580, CVE-2019-2585, CVE-2019-2593, CVE-2019-2624, CVE-2019-2628, CVE-2019-2758, CVE-2019-2785, CVE-2019-2798, CVE-2019-2879, CVE-2019-2814)

* mysql: Server: Connection Handling unspecified vulnerability (CVE-2019-2503)

* mysql: Server: Partition multiple unspecified vulnerabilities (CVE-2019-2528, CVE-2019-2587)

* mysql: Server: Options multiple unspecified vulnerabilities (CVE-2019-2535, CVE-2019-2623, CVE-2019-2683, CVE-2019-2752)

* mysql: Server: Packaging unspecified vulnerability (CVE-2019-2536)

* mysql: Server: Connection unspecified vulnerability (CVE-2019-2539)

* mysql: Server: Information Schema unspecified vulnerability (CVE-2019-2631)

* mysql: Server: Group Replication Plugin unspecified vulnerability (CVE-2019-2636)

* mysql: Server: Security: Roles multiple unspecified vulnerabilities (CVE-2019-2691, CVE-2019-2826)

* mysql: Server: Pluggable Auth unspecified vulnerability (CVE-2019-2737)

* mysql: Server: XML unspecified vulnerability (CVE-2019-2740)

* mysql: Server: Components / Services unspecified vulnerability (CVE-2019-2780)

* mysql: Server: DML unspecified vulnerability (CVE-2019-2784)

* mysql: Server: Charsets unspecified vulnerability (CVE-2019-2795)

* mysql: Client programs unspecified vulnerability (CVE-2019-2797)

* mysql: Server: FTS unspecified vulnerability (CVE-2019-2801)

* mysql: Server: Security: Audit unspecified vulnerability (CVE-2019-2819)

* mysql: Server: Compiling unspecified vulnerability (CVE-2019-2738)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

From Red Hat Security Advisory 2019:2511 :

An update for the mysql:8.0 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.

The following packages have been upgraded to a later upstream version:
mysql (8.0.17).

Security Fix(es) :

* mysql: Server: Replication multiple unspecified vulnerabilities (CVE-2019-2800, CVE-2019-2436, CVE-2019-2531, CVE-2019-2534, CVE-2019-2614, CVE-2019-2617, CVE-2019-2630, CVE-2019-2634, CVE-2019-2635, CVE-2019-2755)

* mysql: Server: Optimizer multiple unspecified vulnerabilities (CVE-2019-2420, CVE-2019-2481, CVE-2019-2507, CVE-2019-2529, CVE-2019-2530, CVE-2019-2581, CVE-2019-2596, CVE-2019-2607, CVE-2019-2625, CVE-2019-2681, CVE-2019-2685, CVE-2019-2686, CVE-2019-2687, CVE-2019-2688, CVE-2019-2689, CVE-2019-2693, CVE-2019-2694, CVE-2019-2695, CVE-2019-2757, CVE-2019-2774, CVE-2019-2796, CVE-2019-2802, CVE-2019-2803, CVE-2019-2808, CVE-2019-2810, CVE-2019-2812, CVE-2019-2815, CVE-2019-2830, CVE-2019-2834)

* mysql: Server: Parser multiple unspecified vulnerabilities (CVE-2019-2434, CVE-2019-2455, CVE-2019-2805)

* mysql: Server: PS multiple unspecified vulnerabilities (CVE-2019-2482, CVE-2019-2592)

* mysql: Server: Security: Privileges multiple unspecified vulnerabilities (CVE-2019-2486, CVE-2019-2532, CVE-2019-2533, CVE-2019-2584, CVE-2019-2589, CVE-2019-2606, CVE-2019-2620, CVE-2019-2627, CVE-2019-2739, CVE-2019-2778, CVE-2019-2811, CVE-2019-2789)

* mysql: Server: DDL multiple unspecified vulnerabilities (CVE-2019-2494, CVE-2019-2495, CVE-2019-2537, CVE-2019-2626, CVE-2019-2644)

* mysql: InnoDB multiple unspecified vulnerabilities (CVE-2019-2502, CVE-2019-2510, CVE-2019-2580, CVE-2019-2585, CVE-2019-2593, CVE-2019-2624, CVE-2019-2628, CVE-2019-2758, CVE-2019-2785, CVE-2019-2798, CVE-2019-2879, CVE-2019-2814)

* mysql: Server: Connection Handling unspecified vulnerability (CVE-2019-2503)

* mysql: Server: Partition multiple unspecified vulnerabilities (CVE-2019-2528, CVE-2019-2587)

* mysql: Server: Options multiple unspecified vulnerabilities (CVE-2019-2535, CVE-2019-2623, CVE-2019-2683, CVE-2019-2752)

* mysql: Server: Packaging unspecified vulnerability (CVE-2019-2536)

* mysql: Server: Connection unspecified vulnerability (CVE-2019-2539)

* mysql: Server: Information Schema unspecified vulnerability (CVE-2019-2631)

* mysql: Server: Group Replication Plugin unspecified vulnerability (CVE-2019-2636)

* mysql: Server: Security: Roles multiple unspecified vulnerabilities (CVE-2019-2691, CVE-2019-2826)

* mysql: Server: Pluggable Auth unspecified vulnerability (CVE-2019-2737)

* mysql: Server: XML unspecified vulnerability (CVE-2019-2740)

* mysql: Server: Components / Services unspecified vulnerability (CVE-2019-2780)

* mysql: Server: DML unspecified vulnerability (CVE-2019-2784)

* mysql: Server: Charsets unspecified vulnerability (CVE-2019-2795)

* mysql: Client programs unspecified vulnerability (CVE-2019-2797)

* mysql: Server: FTS unspecified vulnerability (CVE-2019-2801)

* mysql: Server: Security: Audit unspecified vulnerability (CVE-2019-2819)

* mysql: Server: Compiling unspecified vulnerability (CVE-2019-2738)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The version of MySQL running on the remote host is 8.0.x prior to 8.0.14. It is, therefore, affected by multiple vulnerabilities, including three of the top vulnerabilities below, as noted in the January 2019 Critical Patch Update advisory:

 - An unspecified vulnerability in MySQL in the 'Server: Replication' subcomponent could allow an low privileged attacker with network access via multiple protocols to gain unauthorized access critical data or complete access to all MySQL server data. (CVE-2019-2534)

 - An unspecified vulnerability in MySQL in the 'Server: Optimizer' subcomponent could allow an low privileged attacker with network access via multiple protocols to perform a denial of service attack.
 (CVE-2019-2529)

 - An unspecified vulnerability in MySQL in the 'Server: PS' subcomponent could allow an low privileged attacker with network access via multiple protocols to perform a denial of service attack.
 (CVE-2019-2482)

Oracle reports :

Please reference CVE/URL list for details

Not all listed CVE's are present in all versions/flavors

The version of MySQL running on the remote host is 8.0.x prior to 8.0.14. It is, therefore, affected by multiple vulnerabilities, including three of the top vulnerabilities below, as noted in the January 2019 Critical Patch Update advisory:

  - An unspecified vulnerability in MySQL in the     'Server: Replication' subcomponent could allow an low     privileged attacker with network access via multiple     protocols to gain unauthorized access critical data or     complete access to all MySQL server data. (CVE-2019-2534)

  - An unspecified vulnerability in MySQL in the     'Server: Optimizer' subcomponent could allow an low     privileged attacker with network access via multiple     protocols to perform a denial of service attack.
    (CVE-2019-2529)

  - An unspecified vulnerability in MySQL in the     'Server: PS' subcomponent could allow an low     privileged attacker with network access via multiple     protocols to perform a denial of service attack.
    (CVE-2019-2482)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 8.0.13, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see Oracle's Critical Patch Update advisory for further details. 

ID	Name	Product	Family	Severity
145612	CentOS 8 : mysql:8.0 (CESA-2019:2511)	Nessus	CentOS Local Security Checks	medium
127991	RHEL 8 : mysql:8.0 (RHSA-2019:2511)	Nessus	Red Hat Local Security Checks	medium
127983	Oracle Linux 8 : mysql:8.0 (ELSA-2019-2511)	Nessus	Oracle Linux Local Security Checks	medium
700630	MySQL 8.0.x < 8.0.14 Multiple Vulnerabilities (Jan 2019 CPU)	Nessus Network Monitor	Database	high
121406	FreeBSD : MySQL -- multiple vulnerabilities (d3d02d3a-2242-11e9-b95c-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	high
121229	MySQL 8.0.x < 8.0.14 Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Databases	high
700390	Oracle MySQL 8.0.x < 8.0.13 Multiple Vulnerabilities	Nessus Network Monitor	Database	high

CVE-2019-2536

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

medium

medium

high

high

high

high