SB2018081624 - Red Hat update for mariadb

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018081624

SB2018081624 - Red Hat update for mariadb

Published: August 16, 2018

Security Bulletin ID SB2018081624
Severity
Low
Patch available
YES
Number of vulnerabilities 21
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 21 secuirty vulnerabilities.


1) Improper Access Control (CVE-ID: CVE-2017-3636)

The vulnerability exists due to an unspecified error in the MySQL Server within Client programs component. A local user can exploit the vulnerability to gain full access to MySQL databases.


2) Improper Access Control (CVE-ID: CVE-2017-3641)

The vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.


3) Improper Access Control (CVE-ID: CVE-2017-3651)

The vulnerability exists due to an unspecified error in the MySQL Server within Client mysqldump component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.


4) Improper Access Control (CVE-ID: CVE-2017-3653)

The vulnerability exists due to an unspecified error in the MySQL Server within DDL component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.


5) Information disclosure (CVE-ID: CVE-2017-10268)

The vulnerability allows a local high-privileged attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). A local attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

6) Denial of service (CVE-ID: CVE-2017-10378)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

7) Information disclosure (CVE-ID: CVE-2017-10379)

The vulnerability allows a remote low-privileged attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). A remote attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

8) Denial of service (CVE-ID: CVE-2017-10384)

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

9) Improper Access Control (CVE-ID: CVE-2018-2562)

The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to modify certain data on the system and perform a denial of service (DoS) attack.


10) Improper input validation (CVE-ID: CVE-2018-2622)

The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.


11) Improper input validation (CVE-ID: CVE-2018-2640)

The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.


12) Improper input validation (CVE-ID: CVE-2018-2665)

The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.


13) Improper input validation (CVE-ID: CVE-2018-2668)

The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.


14) Security restrictions bypass (CVE-ID: CVE-2018-2755)

The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A local attacker can execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

15) Security restrictions bypass (CVE-ID: CVE-2018-2761)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

16) Man-in-the-middle attack (CVE-ID: CVE-2018-2767)

The vulnerability allows a remote attacker to conduct man-in-the-middle attack on the target system.

The vulnerability exists due to presence of BACKRONYM vulnerability. A remote attacker can conduct man-in-the-middle attack, intercept of the communication channel between the victim and affected app, bypass security restrictions and downgrade and snoop on the SSL/TLS connection.


17) Security restrictions bypass (CVE-ID: CVE-2018-2771)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

18) Security restrictions bypass (CVE-ID: CVE-2018-2781)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

19) Security restrictions bypass (CVE-ID: CVE-2018-2813)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of MySQL Server accessible data.

20) Security restrictions bypass (CVE-ID: CVE-2018-2817)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

21) Security restrictions bypass (CVE-ID: CVE-2018-2819)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Remediation

Install update from vendor's website.

References