Amazon Linux AMI update for mysql56



Published: 2019-03-26 | Updated: 2019-05-22
Risk Low
Patch available YES
Number of vulnerabilities 9
CVE-ID CVE-2019-2507
CVE-2019-2481
CVE-2019-2482
CVE-2019-2503
CVE-2019-2534
CVE-2019-2537
CVE-2019-2531
CVE-2019-2455
CVE-2019-2529
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Denial of service

EUVDB-ID: #VU17041

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2507

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated high-privileged attacker to cause DoS condition.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Denial of service

EUVDB-ID: #VU17040

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2481

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated high-privileged attacker to cause DoS condition.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Denial of service

EUVDB-ID: #VU17024

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2482

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Security restrictions bypass

EUVDB-ID: #VU17029

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2503

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows an adjacent authenticated attacker to bypass security restrictions.

The weakness exists in MySQL Protocol due to unspecified flaw. An adjacent attacker can bypass security restrictions to read potentially sensitive information and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Security restrictions bypass

EUVDB-ID: #VU17026

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2534

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to bypass security restrictions.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can bypass security restrictions to read potentially sensitive information and modify arbitrary data.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Denial of service

EUVDB-ID: #VU17038

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2537

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated high-privileged attacker to cause DoS condition.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Denial of service

EUVDB-ID: #VU17044

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2531

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated high-privileged attacker to cause DoS condition.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Denial of service

EUVDB-ID: #VU17028

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2455

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Denial of service

EUVDB-ID: #VU17025

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2529

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The weakness exists in MySQL Protocol due to unspecified flaw. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages.

i686:
    mysql56-bench-5.6.43-1.32.amzn1.i686
    mysql56-libs-5.6.43-1.32.amzn1.i686
    mysql56-errmsg-5.6.43-1.32.amzn1.i686
    mysql56-embedded-devel-5.6.43-1.32.amzn1.i686
    mysql56-server-5.6.43-1.32.amzn1.i686
    mysql56-debuginfo-5.6.43-1.32.amzn1.i686
    mysql56-common-5.6.43-1.32.amzn1.i686
    mysql56-embedded-5.6.43-1.32.amzn1.i686
    mysql56-5.6.43-1.32.amzn1.i686
    mysql56-test-5.6.43-1.32.amzn1.i686
    mysql56-devel-5.6.43-1.32.amzn1.i686

src:
    mysql56-5.6.43-1.32.amzn1.src

x86_64:
    mysql56-test-5.6.43-1.32.amzn1.x86_64
    mysql56-bench-5.6.43-1.32.amzn1.x86_64
    mysql56-server-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-5.6.43-1.32.amzn1.x86_64
    mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64
    mysql56-libs-5.6.43-1.32.amzn1.x86_64
    mysql56-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-errmsg-5.6.43-1.32.amzn1.x86_64
    mysql56-common-5.6.43-1.32.amzn1.x86_64
    mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64
    mysql56-5.6.43-1.32.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1178.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###