SB2017041802 - Multiple vulnerabilities in Oracle MySQL
Published: April 18, 2017
Security Bulletin ID
SB2017041802
Severity
Low
Patch available
YES
Number of vulnerabilities
5
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2017-3306)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information, write arbitrary files and cause DoS condition on the target system.The weakness exists in MySQL Enterprise Monitor due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, create, delete or modify critical data or all MySQL Enterprise Monitor accessible data, gain unauthorized access to critical data or complete access to all MySQL Enterprise Monitor accessible data and partially cause the service to crash.
2) Security restrictions bypass (CVE-ID: CVE-2017-3304)
The vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.The weakness exists in MySQL Cluster due to improper security restrictions. A remote attacker can update, insert or delete some of MySQL Cluster accessible data and partially cause the service to crash.
3) Information disclosure (CVE-ID: CVE-2017-3469)
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.The weakness exists in MySQL Workbench due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of MySQL Workbench accessible data.
4) Security restrictions bypass (CVE-ID: CVE-2017-3590)
The vulnerability allows a local authenticated attacker to write arbitrary files on the target system.The weakness exists in MySQL Connectors due to improper security restrictions. A local attacker can update, insert or delete some of MySQL Connectors accessible data.
5) Security restrictions bypass (CVE-ID: CVE-2017-3307)
The vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.The weakness exists in MySQL Enterprise Monitor due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of MySQL Enterprise Monitor accessible data and partially cause the service to crash.
Remediation
Install update from vendor's website.