SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com, Oracle
MySQL Multiple Bugs Let Remote and Local Users Deny Service and Remote Authenticated Users Partially Access and Modify Data
SecurityTracker Alert ID:  1032911
SecurityTracker URL:  http://securitytracker.com/id/1032911
CVE Reference:   CVE-2015-2582, CVE-2015-2611, CVE-2015-2617, CVE-2015-2620, CVE-2015-2639, CVE-2015-2641, CVE-2015-2643, CVE-2015-2648, CVE-2015-2661, CVE-2015-4737, CVE-2015-4752, CVE-2015-4756, CVE-2015-4757, CVE-2015-4761, CVE-2015-4767, CVE-2015-4769, CVE-2015-4771, CVE-2015-4772   (Links to External Site)
Date:  Jul 15 2015
Impact:   Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in MySQL. A remote authenticated user can partially access data on the target system. A remote authenticated user can partially modify data on the target system. A remote or local user can cause partial denial of service conditions on the target system.

A remote authenticated user can exploit a flaw in the MySQL Server Partition component to partially access data, partially modify data, and partially deny service [CVE-2015-2617].

A remote authenticated user can exploit a flaw in the MySQL Server DML component to cause partial denial of service conditions [CVE-2015-2648].

A remote authenticated user can exploit a flaw in the MySQL Server DML component to cause partial denial of service conditions [CVE-2015-2611].

A remote authenticated user can exploit a flaw in the MySQL Server GIS component to cause partial denial of service conditions [CVE-2015-2582].

A remote authenticated user can exploit a flaw in the MySQL Server I_S component to cause partial denial of service conditions [CVE-2015-4752].

A remote authenticated user can exploit a flaw in the MySQL Server InnoDB component to cause partial denial of service conditions [CVE-2015-4756].

A remote authenticated user can exploit a flaw in the MySQL Server Optimizer component to cause partial denial of service conditions [CVE-2015-2643].

A remote authenticated user can exploit a flaw in the MySQL Server Partition component to cause partial denial of service conditions [CVE-2015-4772].

A remote authenticated user can exploit a flaw in the MySQL Server Memcached component to cause partial denial of service conditions [CVE-2015-4761].

A remote authenticated user can exploit a flaw in the MySQL Server Optimizer component to cause partial denial of service conditions [CVE-2015-4757].

A remote authenticated user can exploit a flaw in the MySQL Server Pluggable Auth component to partially access data [CVE-2015-4737].

A remote authenticated user can exploit a flaw in the MySQL Server RBR component to cause partial denial of service conditions [CVE-2015-4771].

A remote authenticated user can exploit a flaw in the MySQL Server Firewall component to cause partial denial of service conditions [CVE-2015-4769].

A remote authenticated user can exploit a flaw in the MySQL Server Firewall component to partially modify data [CVE-2015-2639].

A remote authenticated user can exploit a flaw in the MySQL Server Privileges component to partially access data [CVE-2015-2620].

A remote authenticated user can exploit a flaw in the MySQL Server component to cause partial denial of service conditions [CVE-2015-2641].

A local user can exploit a flaw in the MySQL Server Client component to cause partial denial of service conditions [CVE-2015-2661].

A remote user can exploit a flaw in the MySQL Server Firewall component to cause partial denial of service conditions [CVE-2015-4767].

The following researchers reported these and other Oracle product vulnerabilities:

Adam Willard of Foreground Security; an Anonymous researcher via Beyond Security's SecuriTeam Secure Disclosure Program; Aniway.Anyway via HP's Zero Day Initiative; Arezou Hosseinzad-Amirkhizi of TELUS Security Labs; Benjamin Kunz Mejri of Evolution Security;
Borked of the Google Security Team; CERT/CC; Christiaan Esterhuizen of Trustwave; Christian Schneider; Danny Tsechansky; David Jorm; David Litchfield of Google; Derek Abdine of rapid7.com; Florian Lukavsky of SEC Consult Vulnerability Lab;
Florian Weimer of Red Hat; Hanno Bock; Jacob Smith; Juraj Somorovsky of Ruhr-University Bochum; Jorg Schwenk of Ruhr-University Bochum; Karthikeyan Bhargavan; Kyle Lovett; Martin Rakhmanov of Trustwave; Mateusz Jurczyk of Google Project Zero;
Microsoft Vulnerability Research of Microsoft Corp; Owais Mohammad Khan formerly of KPMG; Recx Ltd.; Richard Birkett of Worldpay; Richard Harrison of E.ON Business Services GmbH; Roberto Suggi Liverani of NATO Communications and Information Agency;
Sandeep Kamble of SecureLayer7; Steven Seeley of HP's Zero Day Initiative; Tibor Jager of Ruhr-University Bochum; Tudor Enache of Help AG; and Vladimir Wolstencroft.

Impact:   A remote authenticated user can partially access data on the target system.

A remote authenticated user can partially modify data on the target system.

A local user can cause partial denial of service conditions on the target system.

A remote user can cause partial denial of service conditions.

Solution:   The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - July 2015.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Vendor URL:  www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 21 2015 (Ubuntu Issues Fix) MySQL Multiple Bugs Let Remote and Local Users Deny Service and Remote Authenticated Users Partially Access and Modify Data
Ubuntu has issued a fix for 12.04 LTS, 14.04 LTS, 14.10, and 15.04.
Aug 18 2015 (Red Hat Issues Fix) MySQL Multiple Bugs Let Remote and Local Users Deny Service and Remote Authenticated Users Partially Access and Modify Data
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Oct 16 2015 (Juniper Issues Fix for Juniper Junos Space) MySQL Multiple Bugs Let Remote and Local Users Deny Service and Remote Authenticated Users Partially Access and Modify Data
Juniper has issued a fix for Juniper Junos Space.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC