Debian update for mysql-5.5



Published: 2017-10-20 | Updated: 2018-11-21
Risk Low
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2017-10268
CVE-2017-10378
CVE-2017-10379
CVE-2017-10384
CWE-ID CWE-200
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		mysql-5.5 (Debian package)
Operating systems & Components / Operating system package or component

Vendor Debian

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU8995

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-10268

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local high-privileged attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). A local attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update the affected package to version: 5.5.58-0+deb8u1.

Vulnerable software versions

mysql-5.5 (Debian package): 5.5.13-1 - 5.5.57-0+deb8u1

External links

http://www.debian.org/security/2018/dsa-4002


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Denial of service

EUVDB-ID: #VU9009

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-10378

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update the affected package to version: 5.5.58-0+deb8u1.

Vulnerable software versions

mysql-5.5 (Debian package): 5.5.13-1 - 5.5.57-0+deb8u1

External links

http://www.debian.org/security/2018/dsa-4002


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU9010

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-10379

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote low-privileged attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). A remote attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update the affected package to version: 5.5.58-0+deb8u1.

Vulnerable software versions

mysql-5.5 (Debian package): 5.5.13-1 - 5.5.57-0+deb8u1

External links

http://www.debian.org/security/2018/dsa-4002


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Denial of service

EUVDB-ID: #VU9011

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-10384

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Update the affected package to version: 5.5.58-0+deb8u1.

Vulnerable software versions

mysql-5.5 (Debian package): 5.5.13-1 - 5.5.57-0+deb8u1

External links

http://www.debian.org/security/2018/dsa-4002


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###