Multiple vulnerabilities in Percona Server for MySQL

1) Improper Access Control

EUVDB-ID: #VU10284

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3635

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability exists due to an unspecified error in the MySQL Server within C API component. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.

Mitigation

Update to version 5.5.57-38.9.

Vulnerable software versions

Percona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8

External links

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Access Control

EUVDB-ID: #VU10285

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3636

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability exists due to an unspecified error in the MySQL Server within Client programs component. A local user can exploit the vulnerability to gain full access to MySQL databases.

Mitigation

Update to version 5.5.57-38.9.

Vulnerable software versions

Percona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8

External links

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Access Control

EUVDB-ID: #VU10290

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3641

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability exists due to an unspecified error in the MySQL Server within DML component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.

Mitigation

Update to version 5.5.57-38.9.

Vulnerable software versions

Percona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8

External links

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper Access Control

EUVDB-ID: #VU10297

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3648

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability exists due to an unspecified error in the MySQL Server within Charsets component. A remote privileged user can exploit the vulnerability to perform a denial of service attack.

Mitigation

Update to version 5.5.57-38.9.

Vulnerable software versions

Percona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8

External links

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Access Control

EUVDB-ID: #VU10300

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3651

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability exists due to an unspecified error in the MySQL Server within Client mysqldump component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.

Mitigation

Update to version 5.5.57-38.9.

Vulnerable software versions

Percona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8

External links

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper Access Control

EUVDB-ID: #VU10301

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3652

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability exists due to an unspecified error in the MySQL Server within DDL component. A remote authenticated attacker can exploit the vulnerability to gain access unauthorized access and modify data.

Mitigation

Update to version 5.5.57-38.9.

Vulnerable software versions

Percona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8

External links

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper Access Control

EUVDB-ID: #VU10303

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3653

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability exists due to an unspecified error in the MySQL Server within DDL component. A remote authenticated attacker can exploit the vulnerability to perform unauthorized modification of data.

Mitigation

Update to version 5.5.57-38.9.

Vulnerable software versions

Percona Server for MySQL: 5.5.11-20.2 - 5.5.55-38.8

External links

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.