Amazon Linux AMI update for mysql55



Published: 2018-05-25 | Updated: 2018-05-30
Risk Low
Patch available YES
Number of vulnerabilities 9
CVE-ID CVE-2018-2761
CVE-2018-2755
CVE-2018-2781
CVE-2018-2819
CVE-2018-2818
CVE-2018-2817
CVE-2018-2771
CVE-2018-2813
CVE-2018-2773
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Security restrictions bypass

EUVDB-ID: #VU12012

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2761

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

EUVDB-ID: #VU12009

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2755

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A local attacker can execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Security restrictions bypass

EUVDB-ID: #VU12024

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2781

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Security restrictions bypass

EUVDB-ID: #VU12038

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2819

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Security restrictions bypass

EUVDB-ID: #VU12037

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2818

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Security restrictions bypass

EUVDB-ID: #VU12036

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2817

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Security restrictions bypass

EUVDB-ID: #VU12016

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2771

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Security restrictions bypass

EUVDB-ID: #VU12033

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2813

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of MySQL Server accessible data.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Security restrictions bypass

EUVDB-ID: #VU12017

Risk: Low

CVSSv3.1: 3.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2773

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A local attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql55-embedded-5.5.60-1.21.amzn1.i686
    mysql55-devel-5.5.60-1.21.amzn1.i686
    mysql-config-5.5.60-1.21.amzn1.i686
    mysql55-test-5.5.60-1.21.amzn1.i686
    mysql55-server-5.5.60-1.21.amzn1.i686
    mysql55-bench-5.5.60-1.21.amzn1.i686
    mysql55-libs-5.5.60-1.21.amzn1.i686
    mysql55-debuginfo-5.5.60-1.21.amzn1.i686
    mysql55-embedded-devel-5.5.60-1.21.amzn1.i686
    mysql55-5.5.60-1.21.amzn1.i686

src:
    mysql55-5.5.60-1.21.amzn1.src

x86_64:
    mysql55-bench-5.5.60-1.21.amzn1.x86_64
    mysql55-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-5.5.60-1.21.amzn1.x86_64
    mysql-config-5.5.60-1.21.amzn1.x86_64
    mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64
    mysql55-libs-5.5.60-1.21.amzn1.x86_64
    mysql55-test-5.5.60-1.21.amzn1.x86_64
    mysql55-server-5.5.60-1.21.amzn1.x86_64
    mysql55-devel-5.5.60-1.21.amzn1.x86_64
    mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1028.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###