SB2018031517 - SUSE Linux update for mariadb
Published: March 15, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-10268)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local high-privileged attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). A local attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.
Successful exploitation of the vulnerability results in information disclosure.
2) Denial of service (CVE-ID: CVE-2017-10378)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote low-privileged attacker to cause DoS condition on the target system.
The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Successful exploitation of the vulnerability results in denial of service.
3) Improper Access Control (CVE-ID: CVE-2018-2562)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to modify certain data on the system and perform a denial of service (DoS) attack.
4) Improper Access Control (CVE-ID: CVE-2018-2612)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability exists due to an unspecified error in the MySQL Server. A remote privileged user can exploit the vulnerability to modify or delete certain data in database.
5) Improper input validation (CVE-ID: CVE-2018-2622)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
6) Improper input validation (CVE-ID: CVE-2018-2640)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
7) Improper input validation (CVE-ID: CVE-2018-2665)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
8) Improper input validation (CVE-ID: CVE-2018-2668)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability exists due to an unspecified error in the MySQL Server. A remote authenticated attacker can exploit the vulnerability to perform a denial of service attack.
Remediation
Install update from vendor's website.