SUSE update for mariadb
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU63827
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-46669
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a use-after-free error in the convert_const_to_int() function when processing BIGINT data type. A remote attacker can trigger use-after-free error and perform a denial of service attack.
MitigationUpdate the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU62418
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21427
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: FTS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationUpdate the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU63508
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27377
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to a use-after-free error in the Item_func_in::cleanup() function. A remote user can pass specially crafted SQL statements and cause a denial of service.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) SQL injection
EUVDB-ID: #VU63510
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27378
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Create_tmp_table::finalize() function. A remote user can send specially crafted SQL statements to the affected application and perform a denial of service attack.
MitigationUpdate the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) SQL injection
EUVDB-ID: #VU63514
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27380
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to insufficient sanitization of user-supplied data in the my_decimal::operator=() function. A remote user can send specially crafted SQL statements to the affected application and perform a denial of service attack.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) SQL injection
EUVDB-ID: #VU63515
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27381
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Field::set_default() function. A remote user can send specially crafted SQL statements to the affected application and perform a denial of service attack.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU63517
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27383
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to a use-after-free error in the my_strcasecmp_8bit component. A remote user can pass specially crafted SQL statements and cause a denial of service.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) SQL injection
EUVDB-ID: #VU63519
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27384
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Item_subselect::init_expr_cache_tracker() function. A remote user can send specially crafted SQL statements to the affected application and perform a denial of service attack.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU63520
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27386
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to segmentation fault via the sql/sql_class.cc component. A remote user can send specially crafted data and perform a denial of service attack.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU63521
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27387
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to buffer overflow error in the decimal_bin_size component. A remote user can send specially crafted SQL statements to the affected application, trigger buffer overflow error and perform a denial of service attack.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU63525
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27445
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to segmentation fault via the sql/sql_window.cc component. A remote user can send specially crafted data and perform a denial of service attack.
Update the affected package mariadb to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15 - 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.4
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
mariadb-errormessages: before 10.2.44-150000.3.54.1
mariadb-tools-debuginfo: before 10.2.44-150000.3.54.1
mariadb-tools: before 10.2.44-150000.3.54.1
mariadb-debugsource: before 10.2.44-150000.3.54.1
mariadb-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client-debuginfo: before 10.2.44-150000.3.54.1
mariadb-client: before 10.2.44-150000.3.54.1
mariadb: before 10.2.44-150000.3.54.1
libmysqld19-debuginfo: before 10.2.44-150000.3.54.1
libmysqld19: before 10.2.44-150000.3.54.1
libmysqld-devel: before 10.2.44-150000.3.54.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222107-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
