Multiple vulnerabilities in MySQL Cluster



Published: 2021-10-19
Risk High
Patch available YES
Number of vulnerabilities 10
CVE-ID CVE-2021-35618
CVE-2021-35613
CVE-2021-35584
CVE-2021-35621
CVE-2021-35598
CVE-2021-35594
CVE-2021-35593
CVE-2021-35592
CVE-2021-35590
CVE-2021-22931
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
MySQL Cluster
Web applications / Remote management & hosting panels

Vendor Oracle

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU57552

Risk: Low

CVSSv3.1: 1.6 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35618

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU57547

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35613

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU57546

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35584

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Cluster: ndbcluster/plugin DDL component in MySQL Cluster. A remote authenticated user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU57509

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35621

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10, 7.4.11, 7.4.12, 7.4.13, 7.4.14, 7.4.15, 7.4.16, 7.4.17, 7.4.18, 7.4.19, 7.4.20, 7.4.21, 7.4.22, 7.4.23, 7.4.24, 7.4.25, 7.4.26, 7.4.27, 7.4.28, 7.4.29, 7.4.30, 7.4.31, 7.4.32, 7.4.33, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12, 7.6.13, 7.6.14, 7.6.15, 7.6.16, 7.6.17, 7.6.18, 7.6.19, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU57508

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35598

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10, 7.4.11, 7.4.12, 7.4.13, 7.4.14, 7.4.15, 7.4.16, 7.4.17, 7.4.18, 7.4.19, 7.4.20, 7.4.21, 7.4.22, 7.4.23, 7.4.24, 7.4.25, 7.4.26, 7.4.27, 7.4.28, 7.4.29, 7.4.30, 7.4.31, 7.4.32, 7.4.33, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12, 7.6.13, 7.6.14, 7.6.15, 7.6.16, 7.6.17, 7.6.18, 7.6.19, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU57507

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35594

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10, 7.4.11, 7.4.12, 7.4.13, 7.4.14, 7.4.15, 7.4.16, 7.4.17, 7.4.18, 7.4.19, 7.4.20, 7.4.21, 7.4.22, 7.4.23, 7.4.24, 7.4.25, 7.4.26, 7.4.27, 7.4.28, 7.4.29, 7.4.30, 7.4.31, 7.4.32, 7.4.33, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12, 7.6.13, 7.6.14, 7.6.15, 7.6.16, 7.6.17, 7.6.18, 7.6.19, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper input validation

EUVDB-ID: #VU57506

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35593

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10, 7.4.11, 7.4.12, 7.4.13, 7.4.14, 7.4.15, 7.4.16, 7.4.17, 7.4.18, 7.4.19, 7.4.20, 7.4.21, 7.4.22, 7.4.23, 7.4.24, 7.4.25, 7.4.26, 7.4.27, 7.4.28, 7.4.29, 7.4.30, 7.4.31, 7.4.32, 7.4.33, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12, 7.6.13, 7.6.14, 7.6.15, 7.6.16, 7.6.17, 7.6.18, 7.6.19, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper input validation

EUVDB-ID: #VU57505

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35592

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12, 7.6.13, 7.6.14, 7.6.15, 7.6.16, 7.6.17, 7.6.18, 7.6.19, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper input validation

EUVDB-ID: #VU57504

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35590

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10, 7.4.11, 7.4.12, 7.4.13, 7.4.14, 7.4.15, 7.4.16, 7.4.17, 7.4.18, 7.4.19, 7.4.20, 7.4.21, 7.4.22, 7.4.23, 7.4.24, 7.4.25, 7.4.26, 7.4.27, 7.4.28, 7.4.29, 7.4.30, 7.4.31, 7.4.32, 7.4.33, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.6.6, 7.6.7, 7.6.8, 7.6.9, 7.6.10, 7.6.11, 7.6.12, 7.6.13, 7.6.14, 7.6.15, 7.6.16, 7.6.17, 7.6.18, 7.6.19, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper input validation

EUVDB-ID: #VU57498

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22931

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General (Node.js) component in MySQL Cluster. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Cluster: 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

CPE2.3 External links

http://www.oracle.com/security-alerts/cpuoct2021.html?62368

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###