SB2021072058 - Multiple vulnerabilities in MySQL Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021072058

SB2021072058 - Multiple vulnerabilities in MySQL Server

Published: July 20, 2021

Security Bulletin ID SB2021072058
Severity
High
Patch available
YES
Number of vulnerabilities 35
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 6% Medium 86% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 35 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2021-2340)

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: Memcached component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.


2) Improper input validation (CVE-ID: CVE-2021-2374)

The vulnerability allows a local privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A local privileged user can exploit this vulnerability to gain access to sensitive information.


3) Improper input validation (CVE-ID: CVE-2021-2372)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


4) Improper input validation (CVE-ID: CVE-2021-2424)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


5) Improper input validation (CVE-ID: CVE-2021-2422)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: PS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


6) Improper input validation (CVE-ID: CVE-2021-2441)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


7) Improper input validation (CVE-ID: CVE-2021-2437)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


8) Improper input validation (CVE-ID: CVE-2021-2427)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


9) Improper input validation (CVE-ID: CVE-2021-2426)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


10) Improper input validation (CVE-ID: CVE-2021-2425)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


11) Improper input validation (CVE-ID: CVE-2021-2418)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


12) Improper input validation (CVE-ID: CVE-2021-2410)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


13) Improper input validation (CVE-ID: CVE-2021-2444)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


14) Improper input validation (CVE-ID: CVE-2021-2387)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


15) Improper input validation (CVE-ID: CVE-2021-2384)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


16) Improper input validation (CVE-ID: CVE-2021-2383)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


17) Improper input validation (CVE-ID: CVE-2021-2412)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


18) Improper input validation (CVE-ID: CVE-2021-2367)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


19) Improper input validation (CVE-ID: CVE-2021-2357)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


20) Improper input validation (CVE-ID: CVE-2021-2342)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


21) Improper input validation (CVE-ID: CVE-2021-2402)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Locking component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


22) Improper input validation (CVE-ID: CVE-2021-2354)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Federated component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


23) Improper input validation (CVE-ID: CVE-2021-2440)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


24) Improper input validation (CVE-ID: CVE-2021-2370)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


25) Improper input validation (CVE-ID: CVE-2021-2399)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


26) Improper input validation (CVE-ID: CVE-2021-2352)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


27) Improper input validation (CVE-ID: CVE-2021-2339)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


28) Improper input validation (CVE-ID: CVE-2021-2385)

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.


29) Improper input validation (CVE-ID: CVE-2021-2356)

The vulnerability allows a remote authenticated user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote authenticated user can exploit this vulnerability to damange or delete data.


30) Improper input validation (CVE-ID: CVE-2021-2429)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


31) Improper input validation (CVE-ID: CVE-2021-2390)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


32) Improper input validation (CVE-ID: CVE-2021-2389)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


33) Improper input validation (CVE-ID: CVE-2021-2417)

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the Server: GIS component in MySQL Server. A remote privileged user can exploit this vulnerability to read and manipulate data.


34) Heap-based buffer overflow (CVE-ID: CVE-2019-17543)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the LZ4_write32 when performing archiving operation with LZ4_compress_fast. A remote attacker can pass specially crafted input to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


35) Use-after-free (CVE-ID: CVE-2021-22901)

The vulnerability allows a remote attacker to crash the application or compromise the vulnerable system.

The vulnerability exists due to a use-after-free error when processing creation of new TLS sessions or during client certificate negotiation. A remote attacker can force the application to connect to a malicious server, trigger a use-after-free error and crash the application.

Remote code execution is also possible if the application can be forced to initiate multiple transfers with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection in order to inject a crafted memory content into the correct place in memory.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system but requires that libcurl is using OpenSSL.


Remediation

Install update from vendor's website.

References