SB2017101716 - Multiple vulnerabilities in Oracle MySQL

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017101716

SB2017101716 - Multiple vulnerabilities in Oracle MySQL

Published: October 18, 2017 Updated: October 31, 2017

Security Bulletin ID SB2017101716
Severity
Low
Patch available
YES
Number of vulnerabilities 24
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 24 secuirty vulnerabilities.


1) Denial of service (CVE-ID: CVE-2017-10155)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

2) Denial of service (CVE-ID: CVE-2017-10165)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

3) Denial of service (CVE-ID: CVE-2017-10167)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

4) Denial of service (CVE-ID: CVE-2017-10203)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Net). A remote attacker can use multiple protocols to cause a partial denial of service (partial DOS) of MySQL Connectors.

Successful exploitation of the vulnerability results in denial of service.

5) Denial of service (CVE-ID: CVE-2017-10227)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

6) Information disclosure (CVE-ID: CVE-2017-10268)

The vulnerability allows a local high-privileged attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). A local attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

7) Denial of service (CVE-ID: CVE-2017-10276)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: FTS). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

8) Improper access control (CVE-ID: CVE-2017-10277)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Net). A remote attacker can gain unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data.

9) Denial of service (CVE-ID: CVE-2017-10279)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

10) Denial of service (CVE-ID: CVE-2017-10283)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

11) Denial of service (CVE-ID: CVE-2017-10284)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Stored Procedure). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

12) Denial of service (CVE-ID: CVE-2017-10286)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

13) Denial of service (CVE-ID: CVE-2017-10294)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

14) Denial of service (CVE-ID: CVE-2017-10296)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

15) Denial of service (CVE-ID: CVE-2017-10311)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: FTS). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

16) Denial of service (CVE-ID: CVE-2017-10313)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Group Replication GCS). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

17) Denial of service (CVE-ID: CVE-2017-10314)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

18) Denial of service (CVE-ID: CVE-2017-10320)

The vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

19) Security restrictions bypass (CVE-ID: CVE-2017-10365)

The vulnerability allows a remote high-privileged attacker to bypass security restrictions on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). A remote attacker can gain unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server.

20) Denial of service (CVE-ID: CVE-2017-10378)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

21) Information disclosure (CVE-ID: CVE-2017-10379)

The vulnerability allows a remote low-privileged attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). A remote attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

22) Denial of service (CVE-ID: CVE-2017-10384)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

23) Security restrictions bypass (CVE-ID: CVE-2017-10424)

The vulnerability allows a remote attacker to bypass security restriction on the target system.

The weakness exists due to an error in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Web). A remote attacker can use multiple protocols to compromise MySQL Enterprise Monitor.

24) Security bypass (CVE-ID: CVE-2017-5664)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper handling of certain HTTP request methods for static error pages in Default Servlet. A remote attacker can bypass HTTP method restrictions and cause the error page to be deleted or replaced.

Successful exploitation of the vulnerability results in information modification.

Remediation

Install update from vendor's website.

References