Multiple vulnerabilities in Oracle MySQL Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 25 |
| CVE-ID | CVE-2017-3635 CVE-2017-3636 CVE-2017-3529 CVE-2017-3637 CVE-2017-3639 CVE-2017-3640 CVE-2017-3641 CVE-2017-3643 CVE-2017-3644 CVE-2017-3638 CVE-2017-3642 CVE-2017-3645 CVE-2017-3646 CVE-2017-3648 CVE-2017-3647 CVE-2017-3649 CVE-2017-3651 CVE-2017-3652 CVE-2017-3650 CVE-2017-3653 CVE-2017-3634 CVE-2017-3633 CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 |
| CWE-ID | CWE-284 CWE-125 CWE-310 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
MySQL Server Server applications / Database software |
| Vendor |
Oracle |
Security Bulletin
This security bulletin contains information about 25 vulnerabilities.
1) Improper Access Control
EUVDB-ID: #VU10284
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3635
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within C API component. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.5.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Access Control
EUVDB-ID: #VU10285
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3636
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Client programs component. A local user can exploit the vulnerability to gain full access to MySQL databases.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.5.0 - 5.6.34
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Access Control
EUVDB-ID: #VU10286
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3529
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within UDF component. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Access Control
EUVDB-ID: #VU10287
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3637
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within X Plugin component. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Access Control
EUVDB-ID: #VU10288
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3639
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Access Control
EUVDB-ID: #VU10289
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3640
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Access Control
EUVDB-ID: #VU10290
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3641
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.5.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper Access Control
EUVDB-ID: #VU10291
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3643
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper Access Control
EUVDB-ID: #VU10292
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3644
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper Access Control
EUVDB-ID: #VU10293
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3638
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Optimizer component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper Access Control
EUVDB-ID: #VU10294
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3642
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Optimizer component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper Access Control
EUVDB-ID: #VU10295
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3645
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Optimizer component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improper Access Control
EUVDB-ID: #VU10296
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3646
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within X Plugin component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Improper Access Control
EUVDB-ID: #VU10297
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3648
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Charsets component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.5.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Improper Access Control
EUVDB-ID: #VU10298
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3647
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Replication component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions:
: 5.6.9 - 5.7.16
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Improper Access Control
EUVDB-ID: #VU10299
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3649
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Replication component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions:
: 5.6.9 - 5.7.16
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Improper Access Control
EUVDB-ID: #VU10300
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3651
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Client mysqldump component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.5.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Improper Access Control
EUVDB-ID: #VU10301
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3652
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DDL component. A remote authenticated attacker can exploit the vulnerability to gain access unauthorized access and modify data.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.5.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Improper Access Control
EUVDB-ID: #VU10302
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3650
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within C API component. A remote unauthenticated attacker can exploit the vulnerability to gain access to potentially sensitive information.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.7.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Improper Access Control
EUVDB-ID: #VU10303
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3653
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DDL component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.
MitigationInstall updates from vednor's website.
Vulnerable software versions: 5.5.0 - 5.7.16
:
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Improper Access Control
EUVDB-ID: #VU10283
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3634
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions:
: 5.6.9 - 5.7.16
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Improper Access Control
EUVDB-ID: #VU10282
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3633
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability exists due to an unspecified error in the MySQL Server within Memcached component. A remote unauthenticated attacker can exploit the vulnerability to modify certain data on the system and perform a denial of service (DoS) attack.
MitigationInstall updates from vednor's website.
Vulnerable software versions:
: 5.6.9 - 5.7.16
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Out-of-bounds read
EUVDB-ID: #VU5420
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3731
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause denial of service conditions.
The vulnerability exists due to out-of-bounds read in OpenSSL when processing truncated packets on 32-bit system using certain ciphers. A remote attacker can send a specially crafted truncated packet using CHACHA20/POLY1305 cipher for OpenSSL 1.1.0 or RC4-MD5 for 1.0.2 and trigger denial of service.
Successful exploitation of the vulnerability may allow an attacker to perform denial of service (DoS) attack against vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versions: 5.6.0 - 5.7.17
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Information disclosure
EUVDB-ID: #VU5442
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3732
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to propagating error in the x86_64 Montgomery squaring procedure. A remote attacker with access to unpatched vulnerable system that uses a shared private key with Diffie-Hellman (DH) parameters set can gain unauthorized access to sensitive private key information.
According to vendor’s advisory, this vulnerability is unlikely to be exploited in real-world attacks, as it requires significant resources and online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.
Vulnerability exploitation against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely.
MitigationInstall update from vendor's website.
Vulnerable software versions: 5.6.0 - 5.7.17
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Information disclosure
EUVDB-ID: #VU5894
Risk: Low
CVSSv3.1: 3.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-7055
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt certain data.
The vulnerability exists in OpenSSL implementation due to propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. A remote attacker can launch attacks against RSA, DSA and DH private keys and decrypt information, passed over encrypted channels. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation.
Successful exploitation of the vulnerability may allow an attacker in certain conditions to launch attacks against OpenSSL clients.
MitigationInstall update from vendor's website.
Vulnerable software versions: 5.6.0 - 5.7.17
External linkshttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
