SB2022042756 - Red Hat Enterprise Linux 8 update for the mariadb:10.3 module

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2021-2372)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

2) Improper input validation (CVE-ID: CVE-2021-2389)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

3) Resource exhaustion (CVE-ID: CVE-2021-46657)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing certain subquery uses of ORDER BY. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

4) Reachable Assertion (CVE-ID: CVE-2021-46666)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to mishandling of a pushdown from a HAVING clause to a WHERE clause. A local user can perform a denial of service (DoS) attack.

5) Improper input validation (CVE-ID: CVE-2021-2154)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

6) Improper input validation (CVE-ID: CVE-2021-2166)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

7) Integer overflow (CVE-ID: CVE-2021-46667)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to integer overflow in the sql_lex.cc. A local user can pass specially crafted data to the application, trigger integer overflow and perform a denial of service attack.

8) Resource exhaustion (CVE-ID: CVE-2021-46658)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of with_window_func=true for a subquery. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

9) Input validation error (CVE-ID: CVE-2021-46662)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to set_var.cc application crash in certain uses of an UPDATE statement in conjunction with a nested subquery. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

10) Improper input validation (CVE-ID: CVE-2021-35604)

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2022:1556