Multiple vulnerabilities in MySQL Enterprise Backup
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-0853 CVE-2023-6129 |
| CWE-ID | CWE-299 CWE-371 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
MySQL Enterprise Backup Client/Desktop applications / Software for system administration |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper check for certificate revocation
EUVDB-ID: #VU85927
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0853
CWE-ID:
CWE-299 - Improper Check for Certificate Revocation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass OCSP verification.
The vulnerability exists due to curl inadvertently keeps the SSL session ID for connections in its cache even when the verify status (OCSP stapling)
test has failed. A subsequent transfer to the same hostname will be successful if the session ID cache is still fresh, which leads to skipping the
verify status check. As a result, OCSP verification is always successful for all subsequent TLS sessions.
Install update from vendor's website.
Vulnerable software versionsMySQL Enterprise Backup: 8.0.0 - 8.3.0
CPE2.3- cpe:2.3:a:oracle:mysql_enterprise_backup:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_backup:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_backup:8.0.2:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2024.html?505646
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) State Issues
EUVDB-ID: #VU85170
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-6129
CWE-ID:
CWE-371 - State Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in POLY1305 MAC (message authentication code) implementation on PowerPC CPU based platforms if the CPU provides vector instructions. A remote attacker can perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsMySQL Enterprise Backup: 8.0.0 - 8.3.0
CPE2.3- cpe:2.3:a:oracle:mysql_enterprise_backup:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_backup:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_backup:8.0.2:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2024.html?505646
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
