A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:0894 advisory.

    * mysql: InnoDB unspecified vulnerability (CPU Apr 2023) (CVE-2023-21911)

    * mysql: Server: DDL unspecified vulnerability (CPU Apr 2023) (CVE-2023-21919, CVE-2023-21929,     CVE-2023-21933)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023) (CVE-2023-21920, CVE-2023-21935,     CVE-2023-21945, CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982)

    * mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023) (CVE-2023-21940,     CVE-2023-21947, CVE-2023-21962)

    * mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21953, CVE-2023-21955)

    * mysql: Server: JSON unspecified vulnerability (CPU Apr 2023) (CVE-2023-21966)

    * mysql: Server: DML unspecified vulnerability (CPU Apr 2023) (CVE-2023-21972)

    * mysql: Client programs unspecified vulnerability (CPU Apr 2023) (CVE-2023-21980)

    * mysql: Server: Replication unspecified vulnerability (CPU Jul 2023) (CVE-2023-22005, CVE-2023-22007,     CVE-2023-22057)

    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22008)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023) (CVE-2023-22032, CVE-2023-22059,     CVE-2023-22064, CVE-2023-22065, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22092,     CVE-2023-22103, CVE-2023-22110, CVE-2023-22112)

    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22033)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023) (CVE-2023-22046, CVE-2023-22054,     CVE-2023-22056)

    * mysql: Client programs unspecified vulnerability (CPU Jul 2023) (CVE-2023-22053)

    * mysql: Server: DDL unspecified vulnerability (CPU Jul 2023) (CVE-2023-22058)

    * mysql: InnoDB unspecified vulnerability (CPU Oct 2023) (CVE-2023-22066, CVE-2023-22068, CVE-2023-22084,     CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)

    * mysql: Server: UDF unspecified vulnerability (CPU Oct 2023) (CVE-2023-22111)

    * mysql: Server: DML unspecified vulnerability (CPU Oct 2023) (CVE-2023-22115)

    * mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024) (CVE-2024-20960)

    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024) (CVE-2024-20963)

    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024) (CVE-2024-20964)

    * mysql: Server: Replication unspecified vulnerability (CPU Jan 2024) (CVE-2024-20967)

    * mysql: Server: Options unspecified vulnerability (CPU Jan 2024) (CVE-2024-20968)

    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20969)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024) (CVE-2024-20961, CVE-2024-20962,     CVE-2024-20965, CVE-2024-20966, CVE-2024-20970, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973,     CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20982)

    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20981)

    * mysql: Server: DML unspecified vulnerability (CPU Jan 2024) (CVE-2024-20983)

    * mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024) (CVE-2024-20984)

    * mysql: Server: UDF unspecified vulnerability (CPU Jan 2024) (CVE-2024-20985)

    * zstd: mysql: buffer overrun in util.c (CVE-2022-4899)

    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023) (CVE-2023-22038)

    * mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023) (CVE-2023-22048)

    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023) (CVE-2023-22113)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the     command line tool to cause buffer overrun. (CVE-2022-4899)

Note that Nessus relies on the presence of the package as reported by the vendor.

An update of the mysql package has been released.

An update of the zstd package has been released.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2619 advisory.

    MySQL is a multi-user, multi-threaded SQL database server. It consists of the     MySQL server daemon, mysqld, and many client programs.

    The following packages have been upgraded to a later upstream version:
    rh-mysql80-mysql (8.0.36)

    Security fixes:

    * mysql: Client programs unspecified vulnerability (CVE-2023-21980, CVE-2023-22053)

    * mysql: InnoDB unspecified vulnerability (CVE-2023-21911, CVE-2023-22008, CVE-2023-22033, CVE-2023-22066,     CVE-2023-22068, CVE-2023-22084, CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)

    * mysql: Server : Security : Firewall unspecified vulnerability (CVE-2024-20984)

    * mysql: Server: Audit Plug-in unspecified vulnerability (CVE-2024-21061)

    * mysql: Server: Components Services unspecified vulnerability (CVE-2023-21940, CVE-2023-21947,     CVE-2023-21962)

    * mysql: Server: DDL unspecified vulnerability (CVE-2023-21919, CVE-2023-21929, CVE-2023-21933,     CVE-2023-22058, CVE-2024-20969, CVE-2024-20981)

    * mysql: Server: DML unspecified vulnerability (CVE-2023-21972, CVE-2023-22115, CVE-2024-20983,     CVE-2024-21015, CVE-2024-21049, CVE-2024-21050, CVE-2024-21051, CVE-2024-21052, CVE-2024-21053,     CVE-2024-21056)

    * mysql: Server: JSON unspecified vulnerability (CVE-2023-21966)

    * mysql: Server: Optimizer unspecified vulnerability (CVE-2023-21920, CVE-2023-21935, CVE-2023-21945,     CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982, CVE-2023-22032, CVE-2023-22046,     CVE-2023-22054, CVE-2023-22056, CVE-2023-22059, CVE-2023-22064, CVE-2023-22065, CVE-2023-22070,     CVE-2023-22078, CVE-2023-22079, CVE-2023-22092, CVE-2023-22103, CVE-2023-22110, CVE-2023-22112,     CVE-2024-20961, CVE-2024-20962, CVE-2024-20965, CVE-2024-20966, CVE-2024-20970, CVE-2024-20971,     CVE-2024-20972, CVE-2024-20973, CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978,     CVE-2024-20982, CVE-2024-20993, CVE-2024-21055, CVE-2024-21057)

    * mysql: Server: Options unspecified vulnerability (CVE-2024-20968)

    * mysql: Server: Partition unspecified vulnerability (CVE-2023-21953, CVE-2023-21955)

    * mysql: Server: Pluggable Auth unspecified vulnerability (CVE-2023-22048)

    * mysql: Server: RAPID unspecified vulnerability (CVE-2024-20960)

    * mysql: Server: Replication unspecified vulnerability (CVE-2023-22005, CVE-2023-22007, CVE-2023-22057,     CVE-2024-20967)

    * mysql: Server: Security: Encryption unspecified vulnerability (CVE-2023-22113, CVE-2024-20963)

    * mysql: Server: Security: Privileges unspecified vulnerability (CVE-2023-22038, CVE-2024-20964)

    * mysql: Server: UDF unspecified vulnerability (CVE-2023-22111, CVE-2024-20985)

    * zstd: mysql: buffer overrun in util.c (CVE-2022-4899)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1141 advisory.

    [8.0.36-1]
    - Update to MySQL 8.0.36

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1141 advisory.

    MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld)     and many client programs and libraries.

    Security Fix(es):

    * mysql: InnoDB unspecified vulnerability (CPU Apr 2023) (CVE-2023-21911)

    * mysql: Server: DDL unspecified vulnerability (CPU Apr 2023) (CVE-2023-21919, CVE-2023-21929,     CVE-2023-21933)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023) (CVE-2023-21920, CVE-2023-21935,     CVE-2023-21945, CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982)

    * mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023) (CVE-2023-21940,     CVE-2023-21947, CVE-2023-21962)

    * mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21953)

    * mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21955)

    * mysql: Server: JSON unspecified vulnerability (CPU Apr 2023) (CVE-2023-21966)

    * mysql: Server: DML unspecified vulnerability (CPU Apr 2023) (CVE-2023-21972)

    * mysql: Client programs unspecified vulnerability (CPU Apr 2023) (CVE-2023-21980)

    * mysql: Server: Replication unspecified vulnerability (CPU Jul 2023) (CVE-2023-22005, CVE-2023-22007,     CVE-2023-22057)

    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22008)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023) (CVE-2023-22032, CVE-2023-22059,     CVE-2023-22064, CVE-2023-22065, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22092,     CVE-2023-22103, CVE-2023-22110, CVE-2023-22112)

    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22033)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023) (CVE-2023-22046)

    * mysql: Client programs unspecified vulnerability (CPU Jul 2023) (CVE-2023-22053, CVE-2023-22054,     CVE-2023-22056)

    * mysql: Server: DDL unspecified vulnerability (CPU Jul 2023) (CVE-2023-22058)

    * mysql: InnoDB unspecified vulnerability (CPU Oct 2023) (CVE-2023-22066, CVE-2023-22068, CVE-2023-22084,     CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)

    * mysql: Server: UDF unspecified vulnerability (CPU Oct 2023) (CVE-2023-22111)

    * mysql: Server: DML unspecified vulnerability (CPU Oct 2023) (CVE-2023-22115)

    * mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024) (CVE-2024-20960)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024) (CVE-2024-20961, CVE-2024-20962,     CVE-2024-20965, CVE-2024-20966, CVE-2024-2097, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973,     CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20982)

    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024) (CVE-2024-20963)

    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024) (CVE-2024-20964)

    * mysql: Server: Replication unspecified vulnerability (CPU Jan 2024) (CVE-2024-20967)

    * mysql: Server: Options unspecified vulnerability (CPU Jan 2024) (CVE-2024-20968)

    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20969)

    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20981)

    * mysql: Server: DML unspecified vulnerability (CPU Jan 2024) (CVE-2024-20983)

    * mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024) (CVE-2024-20984)

    * mysql: Server: UDF unspecified vulnerability (CPU Jan 2024) (CVE-2024-20985)

    * zstd: mysql: buffer overrun in util.c (CVE-2022-4899)

    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023) (CVE-2023-22038)

    * mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023) (CVE-2023-22048)

    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023) (CVE-2023-22113)

    Bug Fix(es):

    * Fix for MySQL bug #33630199 in 8.0.32 introduces regression when --set-gtid-purged=OFF (RHEL-22454)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:0894 advisory.

    * mysql: InnoDB unspecified vulnerability (CPU Apr 2023) (CVE-2023-21911)
    * mysql: Server: DDL unspecified vulnerability (CPU Apr 2023) (CVE-2023-21919, CVE-2023-21929,     CVE-2023-21933)
    * mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023) (CVE-2023-21920, CVE-2023-21935,     CVE-2023-21945, CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982)
    * mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023) (CVE-2023-21940,     CVE-2023-21947, CVE-2023-21962)
    * mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21953, CVE-2023-21955)
    * mysql: Server: JSON unspecified vulnerability (CPU Apr 2023) (CVE-2023-21966)
    * mysql: Server: DML unspecified vulnerability (CPU Apr 2023) (CVE-2023-21972)
    * mysql: Client programs unspecified vulnerability (CPU Apr 2023) (CVE-2023-21980)
    * mysql: Server: Replication unspecified vulnerability (CPU Jul 2023) (CVE-2023-22005, CVE-2023-22007,     CVE-2023-22057)
    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22008)
    * mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023) (CVE-2023-22032, CVE-2023-22059,     CVE-2023-22064, CVE-2023-22065, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22092,     CVE-2023-22103, CVE-2023-22110, CVE-2023-22112)
    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22033)
    * mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023) (CVE-2023-22046, CVE-2023-22054,     CVE-2023-22056)
    * mysql: Client programs unspecified vulnerability (CPU Jul 2023) (CVE-2023-22053)
    * mysql: Server: DDL unspecified vulnerability (CPU Jul 2023) (CVE-2023-22058)
    * mysql: InnoDB unspecified vulnerability (CPU Oct 2023) (CVE-2023-22066, CVE-2023-22068, CVE-2023-22084,     CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)
    * mysql: Server: UDF unspecified vulnerability (CPU Oct 2023) (CVE-2023-22111)
    * mysql: Server: DML unspecified vulnerability (CPU Oct 2023) (CVE-2023-22115)
    * mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024) (CVE-2024-20960)
    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024) (CVE-2024-20963)
    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024) (CVE-2024-20964)
    * mysql: Server: Replication unspecified vulnerability (CPU Jan 2024) (CVE-2024-20967)
    * mysql: Server: Options unspecified vulnerability (CPU Jan 2024) (CVE-2024-20968)
    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20969)
    * mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024) (CVE-2024-20961, CVE-2024-20962,     CVE-2024-20965, CVE-2024-20966, CVE-2024-20970, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973,     CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20982)
    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20981)
    * mysql: Server: DML unspecified vulnerability (CPU Jan 2024) (CVE-2024-20983)
    * mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024) (CVE-2024-20984)
    * mysql: Server: UDF unspecified vulnerability (CPU Jan 2024) (CVE-2024-20985)
    * zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023) (CVE-2023-22038)
    * mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023) (CVE-2023-22048)
    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023) (CVE-2023-22113)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-0894 advisory.

    mecab     mecab-ipadic     mysql     [8.0.36-1]
    - Update to MySQL 8.0.36

    [8.0.35-2]
    - Fix int-conversion type error in memcached

    [8.0.35-1]
    - Update to MySQL 8.0.35
    - Remove patches now upstream

    [8.0.34-1]
    - Update to MySQL 8.0.34
    - Add patch from upstream bug#110569
    - Add patch to fix binlog format issue
    - Use --skip-combinations over --binlog-format=mixed
    - Add alignment patch upstream bug#110752

    [8.0.33-1]
    - Update to MySQL 8.0.33

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0894 advisory.

    MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld)     and many client programs and libraries.

    Security Fix(es):

    * mysql: InnoDB unspecified vulnerability (CPU Apr 2023) (CVE-2023-21911)

    * mysql: Server: DDL unspecified vulnerability (CPU Apr 2023) (CVE-2023-21919, CVE-2023-21929,     CVE-2023-21933)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023) (CVE-2023-21920, CVE-2023-21935,     CVE-2023-21945, CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982)

    * mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023) (CVE-2023-21940,     CVE-2023-21947, CVE-2023-21962)

    * mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21953, CVE-2023-21955)

    * mysql: Server: JSON unspecified vulnerability (CPU Apr 2023) (CVE-2023-21966)

    * mysql: Server: DML unspecified vulnerability (CPU Apr 2023) (CVE-2023-21972)

    * mysql: Client programs unspecified vulnerability (CPU Apr 2023) (CVE-2023-21980)

    * mysql: Server: Replication unspecified vulnerability (CPU Jul 2023) (CVE-2023-22005, CVE-2023-22007,     CVE-2023-22057)

    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22008)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023) (CVE-2023-22032, CVE-2023-22059,     CVE-2023-22064, CVE-2023-22065, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22092,     CVE-2023-22103, CVE-2023-22110, CVE-2023-22112)

    * mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22033)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023) (CVE-2023-22046, CVE-2023-22054,     CVE-2023-22056)

    * mysql: Client programs unspecified vulnerability (CPU Jul 2023) (CVE-2023-22053)

    * mysql: Server: DDL unspecified vulnerability (CPU Jul 2023) (CVE-2023-22058)

    * mysql: InnoDB unspecified vulnerability (CPU Oct 2023) (CVE-2023-22066, CVE-2023-22068, CVE-2023-22084,     CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)

    * mysql: Server: UDF unspecified vulnerability (CPU Oct 2023) (CVE-2023-22111)

    * mysql: Server: DML unspecified vulnerability (CPU Oct 2023) (CVE-2023-22115)

    * mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024) (CVE-2024-20960)

    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024) (CVE-2024-20963)

    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024) (CVE-2024-20964)

    * mysql: Server: Replication unspecified vulnerability (CPU Jan 2024) (CVE-2024-20967)

    * mysql: Server: Options unspecified vulnerability (CPU Jan 2024) (CVE-2024-20968)

    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20969)

    * mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024) (CVE-2024-20961, CVE-2024-20962,     CVE-2024-20965, CVE-2024-20966, CVE-2024-20970, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973,     CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20982)

    * mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20981)

    * mysql: Server: DML unspecified vulnerability (CPU Jan 2024) (CVE-2024-20983)

    * mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024) (CVE-2024-20984)

    * mysql: Server: UDF unspecified vulnerability (CPU Jan 2024) (CVE-2024-20985)

    * zstd: mysql: buffer overrun in util.c (CVE-2022-4899)

    * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023) (CVE-2023-22038)

    * mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023) (CVE-2023-22048)

    * mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023) (CVE-2023-22113)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Fix for MySQL bug #33630199 in 8.0.32 introduces regression when --set-gtid-purged=OFF (RHEL-22452)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the zstd package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the     command line tool to cause buffer overrun. (CVE-2022-4899)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the zstd package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the     command line tool to cause buffer overrun. (CVE-2022-4899)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-9ccff0b1b7 advisory.

    **MySQL 8.0.34**

    Release notes:

        https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-34.html

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-a9283d639f advisory.

    **MySQL 8.0.34**

    Release notes:

        https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-34.html

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-492105ed08 advisory.

    **MySQL 8.0.34**

    Release notes:

        https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-34.html

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 759a5599-3ce8-11ee-a0d1-84a93843eb75 advisory.

  - A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the     command line tool to cause buffer overrun. (CVE-2022-4899)

  - A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This     side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a     Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large     amount of specially crafted messages to the vulnerable server. By recovering the secret from the     ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that     connection. (CVE-2023-0361)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported     versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-21950)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported     versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-22005)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported     versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Easily exploitable vulnerability     allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.
    Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22007)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are     affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with     network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL     Server. (CVE-2023-22008)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are     affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with     network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL     Server. (CVE-2023-22033)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).
    Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high     privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful     attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL     Server accessible data. (CVE-2023-22038)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported     versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-22046, CVE-2023-22054, CVE-2023-22056)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported     versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data.
    (CVE-2023-22048)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions     that are affected are 5.7.42 and prior and 8.0.33 and prior. Difficult to exploit vulnerability allows low     privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful     attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable     crash (complete DOS) of MySQL Server and unauthorized read access to a subset of MySQL Server accessible     data. (CVE-2023-22053)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported     versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-22057)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions     that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker     with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-22058)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-244 advisory.

    In zstd, supplying an empty string as an argument to either --output-dir-flat or --output-dir-mirror may     cause a buffer overrun. (CVE-2022-4899)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of zstd installed on the remote host is prior to 1.5.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2140 advisory.

    In zstd, supplying an empty string as an argument to either --output-dir-flat or --output-dir-mirror may     cause a buffer overrun. (CVE-2022-4899)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The versions of MySQL Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2023 CPU advisory.

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (OpenSSL)). Supported     versions that are affected are 5.7.42 and prior and 8.0.33 and prior. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks     require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result     in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-2650)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Compiling (Zstandard)).
    Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     MySQL Server. (CVE-2022-4899)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are     affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network     access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in     unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2023-22008)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:1688-1 advisory.

  - A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the     command line tool to cause buffer overrun. (CVE-2022-4899)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-7fd02c2367 advisory.

    Update to zstd-1.5.4, fixes CVE-2022.4899.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-d451c1919f advisory.

    Update to zstd-1.5.4, fixes CVE-2022.4899.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-af177441a9 advisory.

    Update to zstd-1.5.4, fixes CVE-2022.4899.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
236470	Alibaba Cloud Linux 3 : 0032: mysql:8.0 (ALINUX3-SA-2024:0032)	Nessus	Alibaba Cloud Linux Local Security Checks	high
235542	RockyLinux 8 : mysql:8.0 (RLSA-2024:0894)	Nessus	Rocky Linux Local Security Checks	high
225629	Linux Distros Unpatched Vulnerability : CVE-2022-4899	Nessus	Misc.	high
204472	Photon OS 4.0: Mysql PHSA-2023-4.0-0435	Nessus	PhotonOS Local Security Checks	critical
203449	Photon OS 4.0: Zstd PHSA-2022-4.0-0235	Nessus	PhotonOS Local Security Checks	medium
194842	RHEL 7 : rh-mysql80-mysql (RHSA-2024:2619)	Nessus	Red Hat Local Security Checks	high
191718	AlmaLinux 9 : mysql (ALSA-2024:1141)	Nessus	Alma Linux Local Security Checks	high
191673	Oracle Linux 9 : mysql (ELSA-2024-1141)	Nessus	Oracle Linux Local Security Checks	high
191573	RHEL 9 : mysql (RHSA-2024:1141)	Nessus	Red Hat Local Security Checks	high
190901	AlmaLinux 8 : mysql:8.0 (ALSA-2024:0894)	Nessus	Alma Linux Local Security Checks	high
190885	Oracle Linux 8 : mysql:8.0 (ELSA-2024-0894)	Nessus	Oracle Linux Local Security Checks	high
190767	RHEL 8 : mysql:8.0 (RHSA-2024:0894)	Nessus	Red Hat Local Security Checks	high
188552	EulerOS Virtualization 2.11.0 : zstd (EulerOS-SA-2023-3388)	Nessus	Huawei Local Security Checks	high
188507	EulerOS Virtualization 2.11.1 : zstd (EulerOS-SA-2023-3370)	Nessus	Huawei Local Security Checks	high
188273	EulerOS 2.0 SP11 : zstd (EulerOS-SA-2023-3023)	Nessus	Huawei Local Security Checks	high
188264	EulerOS 2.0 SP11 : zstd (EulerOS-SA-2023-3046)	Nessus	Huawei Local Security Checks	high
185236	Fedora 39 : community-mysql (2023-9ccff0b1b7)	Nessus	Fedora Local Security Checks	medium
181491	Fedora 37 : community-mysql (2023-a9283d639f)	Nessus	Fedora Local Security Checks	medium
181486	Fedora 38 : community-mysql (2023-492105ed08)	Nessus	Fedora Local Security Checks	medium
179945	FreeBSD : MySQL -- Multiple vulnerabilities (759a5599-3ce8-11ee-a0d1-84a93843eb75)	Nessus	FreeBSD Local Security Checks	high
178614	Amazon Linux 2023 : libzstd, libzstd-devel, libzstd-static (ALAS2023-2023-244)	Nessus	Amazon Linux Local Security Checks	high
178559	Amazon Linux 2 : zstd (ALAS-2023-2140)	Nessus	Amazon Linux Local Security Checks	high
178471	Oracle MySQL Server 8.0.x < 8.0.34 (October 2023 CPU)	Nessus	Databases	medium
173701	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : zstd (SUSE-SU-2023:1688-1)	Nessus	SuSE Local Security Checks	high
173671	Fedora 37 : mingw-zstd (2023-7fd02c2367)	Nessus	Fedora Local Security Checks	high
173664	Fedora 38 : mingw-zstd (2023-d451c1919f)	Nessus	Fedora Local Security Checks	high
173658	Fedora 36 : mingw-zstd (2023-af177441a9)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2022-4899

high

Tenable Plugins

high

high

high

critical

medium

high

high

high

high

high

high

high

high

high

high

high

medium

medium

medium

high

high

high

medium

high

high

high

high