Multiple vulnerabilities in Percona Server for MySQL
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648 CVE-2017-3651 CVE-2017-3652 CVE-2017-3653 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Percona Server for MySQL Server applications / Database software |
| Vendor | Percona LLC |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Improper Access Control
EUVDB-ID: #VU10284
Risk: Low
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3635
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within C API component. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
MitigationUpdate to version 5.5.57-38.9.
Vulnerable software versionsPercona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8
CPE2.3- cpe:2.3:a:percona:percona_server_for_mysql:5.5.11-20.2:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.12-20.3:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.13-20.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Access Control
EUVDB-ID: #VU10285
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3636
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Client programs component. A local user can exploit the vulnerability to gain full access to MySQL databases.
MitigationUpdate to version 5.5.57-38.9.
Vulnerable software versionsPercona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8
CPE2.3- cpe:2.3:a:percona:percona_server_for_mysql:5.5.11-20.2:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.12-20.3:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.13-20.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Access Control
EUVDB-ID: #VU10290
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3641
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationUpdate to version 5.5.57-38.9.
Vulnerable software versionsPercona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8
CPE2.3- cpe:2.3:a:percona:percona_server_for_mysql:5.5.11-20.2:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.12-20.3:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.13-20.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Access Control
EUVDB-ID: #VU10297
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3648
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Charsets component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationUpdate to version 5.5.57-38.9.
Vulnerable software versionsPercona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8
CPE2.3- cpe:2.3:a:percona:percona_server_for_mysql:5.5.11-20.2:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.12-20.3:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.13-20.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Access Control
EUVDB-ID: #VU10300
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3651
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Client mysqldump component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.
MitigationUpdate to version 5.5.57-38.9.
Vulnerable software versionsPercona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8
CPE2.3- cpe:2.3:a:percona:percona_server_for_mysql:5.5.11-20.2:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.12-20.3:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.13-20.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Access Control
EUVDB-ID: #VU10301
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3652
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DDL component. A remote authenticated attacker can exploit the vulnerability to gain access unauthorized access and modify data.
MitigationUpdate to version 5.5.57-38.9.
Vulnerable software versionsPercona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8
CPE2.3- cpe:2.3:a:percona:percona_server_for_mysql:5.5.11-20.2:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.12-20.3:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.13-20.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Access Control
EUVDB-ID: #VU10303
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3653
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DDL component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.
MitigationUpdate to version 5.5.57-38.9.
Vulnerable software versionsPercona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8
CPE2.3- cpe:2.3:a:percona:percona_server_for_mysql:5.5.11-20.2:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.12-20.3:*:*:*:*:*:*:*
- cpe:2.3:a:percona:percona_server_for_mysql:5.5.13-20.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
