Oracle MySQL Connectors Multiple Vulnerabilities (Apr 2019 CPU)
Medium Nessus Plugin ID 125340
SynopsisThe remote host is affected by multiple vulnerabilities.
DescriptionThe version of Oracle MySQL Connectors installed on the remote host is 8.0.x prior to 8.0.16 or 5.3.x prior to 5.3.13.
It is, therefore, affected by multiple vulnerabilities as noted in the April 2019 Critical Patch Update advisory:
- An unspecified vulnerability in Connector/J subcomponent. An authenticated attacker can exploit this issue, to take a full control over the target system. (CVE-2019-2692)
- A padding oracle vulnerability exists in Connector/ODBC (OpenSSL) subcomponent. If the application is configured to use 'non-stitched' ciphersuits, a remote attacker can trigger a fatal protocol error condition. The vulnerable application presents a padding related error messages which allow attacker to decrypt data. (CVE-2019-1559)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionApply the appropriate patches according to the April 2019 Oracle Critical Patch Update advisory.