Multiple vulnerabilities in Oracle MySQL
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2017-3306 CVE-2017-3304 CVE-2017-3469 CVE-2017-3590 CVE-2017-3307 |
| CWE-ID | CWE-264 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
MySQL Enterprise Monitor Server applications / Database software MySQL Cluster Web applications / Remote management & hosting panels MySQL Workbench Universal components / Libraries / Software for developers MySQL Connectors Hardware solutions / Drivers |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU12239
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L/E:U/U:Clear]
CVE-ID: CVE-2017-3306
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information, write arbitrary files and cause DoS condition on the target system.
The weakness exists in MySQL Enterprise Monitor due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, create, delete or modify critical data or all MySQL Enterprise Monitor accessible data, gain unauthorized access to critical data or complete access to all MySQL Enterprise Monitor accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsMySQL Enterprise Monitor: 3.1.6.8003 - 3.3.2.1162
CPE2.3- cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6.8003:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU12243
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3304
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.
The weakness exists in MySQL Cluster due to improper security restrictions. A remote attacker can update, insert or delete some of MySQL Cluster accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsMySQL Cluster: 7.2.20 - 7.5.5
CPE2.3- cpe:2.3:a:oracle:mysql_cluster:7.2.27:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_cluster:7.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_cluster:7.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_cluster:7.5.5:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU12251
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3469
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in MySQL Workbench due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of MySQL Workbench accessible data.
Install update from vendor's website.
Vulnerable software versionsMySQL Workbench: 6.3.0 - 6.3.8
CPE2.3- cpe:2.3:a:oracle:mysql_workbench:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_workbench:6.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_workbench:6.3.2:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Security restrictions bypass
EUVDB-ID: #VU12252
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3590
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated attacker to write arbitrary files on the target system.
The weakness exists in MySQL Connectors due to improper security restrictions. A local attacker can update, insert or delete some of MySQL Connectors accessible data.
Install update from vendor's website.
Vulnerable software versionsMySQL Connectors: 2.1.0 - 2.1.5
CPE2.3- cpe:2.3:h:oracle:mysql_connector:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:h:oracle:mysql_connector:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:h:oracle:mysql_connector:2.1.2:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security restrictions bypass
EUVDB-ID: #VU12253
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3307
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.
The weakness exists in MySQL Enterprise Monitor due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of MySQL Enterprise Monitor accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsMySQL Enterprise Monitor: 3.1.6.8003 - 3.3.2.1162
CPE2.3- cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6.8003:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
