MariaDB Server 5.5.x < 5.5.54 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9911

Synopsis

The remote database server is affected by multiple attack vectors.

Description

MariaDB is a community-developed fork of the MySQL relational database. The version of MariaDB installed on the remote host is 5.5.x earlier than 5.5.54, and is therefore affected by multiple vulnerabilities :

- A flaw exists in 'scripts/mysqld_safe.sh' that is triggered when handling arguments to 'malloc-lib'. This may allow a local attacker to potentially gain elevated privileges. (OSVDB 146606)
- A flaw exists in 'sql/item_subselect.cc' that is triggered during the handling of queries from the select/unit tree. This may allow an authenticated attacker to crash the database. (OSVDB 149068)
- A flaw exists in the 'Item::check_well_formed_result()' function in 'sql/item.cc' that is triggered during the handling of row validation. This may allow an authenticated attacker to crash the database. (OSVDB 149069)
- A flaw exists in the 'Rpl_filter::parse_filter_rule()' function in 'sql/rpl_filter.cc' that is triggered during the clearing of wildcards. This may allow an authenticated attacker to crash the database. (OSVDB 149071)
- A flaw exists in the 'lex_one_token()' function in 'sql/sql_lex.cc' that is triggered during the handling of a specially crafted query. This may allow an authenticated attacker to crash the database. (OSVDB 149106)
- A flaw exists in the 'merge_buffers()' function in 'sql/filesort.cc' that is triggered during the handling of 'sort_union' optimization. This may allow an authenticated attacker to crash the database. (OSVDB 149347)
- A flaw exists in the 'Item_cache::safe_charset_converter()' function in 'sql/item.cc' that is triggered during the handling of a specially crafted subselect query item. This may allow an authenticated attacker to crash the database. (OSVDB 149351)
- A flaw exists in the 'st_select_lex::is_merged_child_of()' function in 'sql/sql_lex.cc' that is triggered when handling merged views or derived tables. This may allow an authenticated attacker to crash the database. (OSVDB 149352)
- A flaw exists in 'sql/item.cc' that is triggered during the handling of a specially crafted subquery. This may allow an authenticated attacker to crash the database. (OSVDB 149353)
- A flaw exists in 'scripts/mysqld_safe.sh' related to insecure use of certain shell utilities e.g. chown and rm when handling error log files. This may allow a local attacker via a symlink attack to gain 'root' privileges. (OSVDB 150449)
- An unspecified flaw exists related to the DDL subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (OSVDB 150450)
- An unspecified flaw exists related to the DML subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (OSVDB 150452)
- An unspecified flaw exists related to the 'Server:Optimizer' subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (OSVDB 150454)
- A flaw exists in 'scripts/mysqld_safe.sh' related to handling of the '--ledir' command line option used to specify the directory where mysqld is stored, as this value may be read from the configuration file. This may allow a local attacker to gain elevated privileges. (OSVDB 150456)
- A flaw exists in the 'packaging/rpm-oel/mysql.init' initialization script related to insecure use of the chown and chmod utilities. This may allow a local attacker to potentially gain 'root' privileges. (OSVDB 150457)
- An unspecified flaw exists related to the Logging subcomponent. This may allow a local attacker to cause a denial of service. No further details have been provided by the vendor. (OSVDB 150463)
- An unspecified flaw exists related to the Error Handling subcomponent. This may allow a local attacker to gain access to sensitive information. No further details have been provided by the vendor. (OSVDB 150464)

Solution

Upgrade to version 5.5.54 or later.

See Also

https://mariadb.com/kb/en/mariadb/mariadb-5554-release-notes

Plugin Details

Severity: High

ID: 9911

File Name: 9911.prm

Family: Database

Published: 2017/01/26

Modified: 2017/01/26

Dependencies: 8693

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.4

Temporal Score: 7.8

Vector: CVSS3#AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mariadb:mariadb

Patch Publication Date: 2016/12/24

Vulnerability Publication Date: 2015/03/10

Reference Information

CVE: CVE-2016-6664, CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3265, CVE-2017-3291, CVE-2017-3312, CVE-2017-3317, CVE-2017-3318

BID: 93612

OSVDB: 146606, 149068, 149069, 149071, 149106, 149347, 149351, 149352, 149353, 150449, 150450, 150452, 150454, 150456, 150457, 150463, 150464