Improper input validation in products

#VU11099 Improper input validation in products

Cybersecurity Help s.r.o.

Published: 2018-03-15 | Updated: 2018-12-06

Vulnerability identifier: #VU11099

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3329

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:

Vendor:

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper input validation within the Thread Pooling subcomponent. A remote attacker can send a specially crated MySQL packet to the affected server and cause it to crash.

Mitigation
Update to version 5.5.55, 5.6.36 or 5.7.18.

Vulnerable software versions

: 5.5.0 - 5.5.54, 5.6.9 - 5.6.34, 5.7.0 - 5.7.16

External links
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for MySQL

Ubuntu update for MySQL

Debian update for mysql-5.5