Amazon Linux AMI update for mysql56



Published: 2018-05-25 | Updated: 2018-05-30
Risk Low
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2018-2761
CVE-2018-2755
CVE-2018-2766
CVE-2018-2758
CVE-2018-2781
CVE-2018-2782
CVE-2018-2819
CVE-2018-2784
CVE-2018-2787
CVE-2018-2817
CVE-2018-2773
CVE-2018-2771
CVE-2018-2813
CVE-2018-2818
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Security restrictions bypass

EUVDB-ID: #VU12012

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2761

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

EUVDB-ID: #VU12009

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2755

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A local attacker can execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Security restrictions bypass

EUVDB-ID: #VU12014

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2766

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Security restrictions bypass

EUVDB-ID: #VU12010

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2758

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Security restrictions bypass

EUVDB-ID: #VU12024

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2781

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Security restrictions bypass

EUVDB-ID: #VU12025

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2782

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Security restrictions bypass

EUVDB-ID: #VU12038

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2819

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Security restrictions bypass

EUVDB-ID: #VU12027

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2784

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Security restrictions bypass

EUVDB-ID: #VU12029

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2787

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can update, insert or delete some of MySQL Server accessible data and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Security restrictions bypass

EUVDB-ID: #VU12036

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2817

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Security restrictions bypass

EUVDB-ID: #VU12017

Risk: Low

CVSSv3.1: 3.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2773

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A local attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Security restrictions bypass

EUVDB-ID: #VU12016

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2771

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Security restrictions bypass

EUVDB-ID: #VU12033

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2813

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of MySQL Server accessible data.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Security restrictions bypass

EUVDB-ID: #VU12037

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2818

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the MySQL Server component of Oracle MySQL due to improper security restrictions. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-embedded-devel-5.6.40-1.29.amzn1.i686
    mysql56-debuginfo-5.6.40-1.29.amzn1.i686
    mysql56-libs-5.6.40-1.29.amzn1.i686
    mysql56-server-5.6.40-1.29.amzn1.i686
    mysql56-bench-5.6.40-1.29.amzn1.i686
    mysql56-5.6.40-1.29.amzn1.i686
    mysql56-embedded-5.6.40-1.29.amzn1.i686
    mysql56-test-5.6.40-1.29.amzn1.i686
    mysql56-devel-5.6.40-1.29.amzn1.i686
    mysql56-common-5.6.40-1.29.amzn1.i686
    mysql56-errmsg-5.6.40-1.29.amzn1.i686

src:
    mysql56-5.6.40-1.29.amzn1.src

x86_64:
    mysql56-5.6.40-1.29.amzn1.x86_64
    mysql56-libs-5.6.40-1.29.amzn1.x86_64
    mysql56-test-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-bench-5.6.40-1.29.amzn1.x86_64
    mysql56-common-5.6.40-1.29.amzn1.x86_64
    mysql56-errmsg-5.6.40-1.29.amzn1.x86_64
    mysql56-server-5.6.40-1.29.amzn1.x86_64
    mysql56-devel-5.6.40-1.29.amzn1.x86_64
    mysql56-embedded-5.6.40-1.29.amzn1.x86_64
    mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2018-1027.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###