MariaDB Server 10.1.x < 10.1.21 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9915

Synopsis

The remote database server is affected by multiple attack vectors.

Description

MariaDB is a community-developed fork of the MySQL relational database. The version of MariaDB installed on the remote host is 10.1.x earlier than 10.1.21, and is therefore affected by multiple vulnerabilities :

- A flaw exists in the 'merge_buffers()' function in 'sql/filesort.cc' that is triggered during the handling of 'sort_union' optimization. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item_cache::safe_charset_converter()' function in 'sql/item.cc' that is triggered during the handling of a specially crafted subselect query item. This may allow an authenticated attacker to crash the database.
- A flaw exists in 'scripts/mysqld_safe.sh' related to insecure use of certain shell utilities e.g. chown and rm when handling error log files. This may allow a local attacker via a symlink attack to gain 'root' privileges.
- An unspecified flaw exists related to the DDL subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor.
- An unspecified flaw exists related to the DML subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor.
- An unspecified flaw exists related to the InnoDB subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor.
- An unspecified flaw exists related to the 'Server:Optimizer' subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor.
- A flaw exists in 'scripts/mysqld_safe.sh' related to handling of the '--ledir' command line option used to specify the directory where mysqld is stored, as this value may be read from the configuration file. This may allow a local attacker to gain elevated privileges.
- A flaw exists in the 'packaging/rpm-oel/mysql.init' initialization script related to insecure use of the chown and chmod utilities. This may allow a local attacker to potentially gain 'root' privileges.
- An unspecified flaw exists related to the Logging subcomponent. This may allow a local attacker to cause a denial of service. No further details have been provided by the vendor.
- An unspecified flaw exists related to the Error Handling subcomponent. This may allow a local attacker to gain access to sensitive information. No further details have been provided by the vendor.
- An out-of-bounds access flaw exists in the 'Item_partition_func_safe_string()' function in 'sql/item.h' that is triggered during the handling of 'information_schema.processlist' tables. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Table_triggers_list::prepare_record_accessors()' function in 'sql/sql_trigger.cc' that is triggered during the handling of a specially crafted table. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'handle_if_exists_options()' function in 'sql/sql_table.cc' that is triggered during the handling of a specially crafted 'ADD FOREIGN KEY' statements. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item::decimal_precision()' function in 'sql/item.cc' that is triggered during the handling of a 'SELECT' statement in a crafted query. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Field_time::store_TIME_with_warning()' function that is triggered when handling a specially crafted 'INSERT' query. This may allow an authenticated attacker to crash the database.

Solution

Upgrade to version 10.1.21 or later.

See Also

https://mariadb.com/kb/en/mariadb-10121-release-notes

Plugin Details

Severity: Medium

ID: 9915

Family: Database

Published: 1/26/2017

Updated: 3/6/2019

Nessus ID: 96486, 96489

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mariadb:mariadb

Patch Publication Date: 12/24/2016

Vulnerability Publication Date: 7/17/2016

Reference Information

CVE: CVE-2016-6664, CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3258, CVE-2017-3265, CVE-2017-3291, CVE-2017-3312, CVE-2017-3317, CVE-2017-3318

BID: 93612