SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com, Oracle
MySQL Multiple Bugs Let Remote Users Access and Modify Data and Deny Service and Let Remote and Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID:  1035606
SecurityTracker URL:  http://securitytracker.com/id/1035606
CVE Reference:   CVE-2016-0639, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0652, CVE-2016-0653, CVE-2016-0654, CVE-2016-0655, CVE-2016-0656, CVE-2016-0657, CVE-2016-0658, CVE-2016-0659, CVE-2016-0661, CVE-2016-0662, CVE-2016-0663, CVE-2016-0665, CVE-2016-0666, CVE-2016-0667, CVE-2016-0668, CVE-2016-2047, CVE-2016-3461   (Links to External Site)
Date:  Apr 20 2016
Impact:   Denial of service via local system, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.5.48, 5.6.29, 5.7.11; and prior versions
Description:   Multiple vulnerabilities were reported in MySQL. A local user can cause denial of service conditions on the target system. A local user can access and modify data on the target system. A remote or remote authenticated user can gain elevated privileges.

A remote user can exploit a flaw in the Server Pluggable Authentication component to gain elevated privileges [CVE-2016-0639].

A remote authenticated user can exploit a flaw in the Monitoring Server component to gain elevated privileges [CVE-2016-3461].

A local user can exploit a flaw in the Server DML component to partially modify data and cause denial of service conditions [CVE-2016-0640].

A remote user can exploit a flaw in the Server Connection Handling component to modify data [CVE-2016-2047].

A local user can exploit a flaw in the Server DDL component to cause denial of service conditions [CVE-2016-0644].

A local user can exploit a flaw in the Server DML component to cause denial of service conditions [CVE-2016-0646, CVE-2016-0652].

A local user can exploit a flaw in the Server FTS component to cause denial of service conditions [CVE-2016-0647, CVE-2016-0653].

A local user can exploit a flaw in the Server InnoDB component to cause denial of service conditions [CVE-2016-0654, CVE-2016-0656].

A local user can exploit a flaw in the Server JSON component to access data [CVE-2016-0657].

A local user can exploit a flaw in the Server Optimizer component to cause denial of service conditions [CVE-2016-0651, CVE-2016-0658, CVE-2016-0659].

A local user can exploit a flaw in the Server PS component to cause denial of service conditions [CVE-2016-0648, CVE-2016-0649].

A local user can exploit a flaw in the Server Partition component to cause denial of service conditions [CVE-2016-0662].

A local user can exploit a flaw in the Server Replication component to cause denial of service conditions [CVE-2016-0650].

A local user can exploit a flaw in the Server Security Encryption component to cause denial of service conditions [CVE-2016-0665].

A local user can exploit a flaw in the Server Security Privileges component to cause denial of service conditions [CVE-2016-0666].

A local user can exploit a flaw in the Server MyISAM component to partially access data and cause denial of service conditions [CVE-2016-0641].

A local user can exploit a flaw in the Server Federated component to partially modify data and cause denial of service conditions [CVE-2016-0642].

A local user can exploit a flaw in the Server InnoDB component to cause denial of service conditions [CVE-2016-0655, CVE-2016-0668].

A local user can exploit a flaw in the Server Options component to cause denial of service conditions [CVE-2016-0661].

A local user can exploit a flaw in the Server Performance Schema component to cause denial of service conditions [CVE-2016-0663].

A local user can exploit a flaw in the Server Locking component to cause denial of service conditions [CVE-2016-0667].

A local user can exploit a flaw in the Server DML component to partially access data [CVE-2016-0643].

Alex Gaynor; Alexander Innes of Necurity; Bees Bobo of CloverSec Labs; bo13oy of Trend Micro's Zero Day Initiative; Daniel Bleichenbacher of Google; David Cash of NCC Group; David Litchfield of Google; Dennis Tighe of Amazon Web Services IT Security;
Aleksandar Nikolic of Cisco Talos; Jacob Baines of Tenable Network Security; Jakub Palaczynski from ING Services Polska; Joshua Maddux; Marcin Woloszyn of ING Services Polska; Mark E D Thomas; Martin Petran of Accenture; Matias Mevied of Onapsis;
Paul Kehrer; Pierre Ernst of Salesforce.com; Quan Nguyen of Google; six and m4xk from Docler Holding IT Security Team; Steffen Gurtler of Bosch Software Innovations GmbH; Sule Bekin of Turk Telekom; and Thomas Van Tongerloo of Hewlett Packard Enterprise.

Impact:   A local user can cause denial of service conditions on the target system.

A local user can obtain data on the target system.

A local user can modify data on the target system.

A remote user can gain elevated privileges on the target system.

A remote authenticated user can gain elevated privileges on the target system.

Solution:   The vendor has issued a fix as part of the April 2016 Oracle Critical Patch Update.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Vendor URL:  www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 25 2016 (Ubuntu Issues Fix) MySQL Multiple Bugs Let Remote Users Access and Modify Data and Deny Service and Let Remote and Remote Authenticated Users Gain Elevated Privileges
Ubuntu has issued a fix for Ubuntu Linux 16.04 LTS.
May 2 2016 (Red Hat Issues Fix) MySQL Multiple Bugs Let Remote Users Access and Modify Data and Deny Service and Let Remote and Remote Authenticated Users Gain Elevated Privileges
Red Hat has issued a fix for rh-mysql56-mysql for Red Hat Enterprise Linux 6, 6.6, 6.7, 7, 7.1, and 7.2.
Jul 25 2016 (Red Hat Issues Fix) MySQL Multiple Bugs Let Remote Users Access and Modify Data and Deny Service and Let Remote and Remote Authenticated Users Gain Elevated Privileges
Red Hat has issued a fix for mysql55-mysql for Red Hat Enterprise Linux 6, 6.6, 6.7, 7, 7.1, and 7.2.
Aug 12 2016 (Red Hat Issues Fix) MySQL Multiple Bugs Let Remote Users Access and Modify Data and Deny Service and Let Remote and Remote Authenticated Users Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Aug 12 2016 (Oracle Issues Fix for Oracle Linux) MySQL Multiple Bugs Let Remote Users Access and Modify Data and Deny Service and Let Remote and Remote Authenticated Users Gain Elevated Privileges
Oracle has issued a fix for Oracle Linux 7.
Apr 8 2017 (IBM Issues Fix for IBM Security Guardium) MySQL Multiple Bugs Let Remote Users Access and Modify Data and Deny Service and Let Remote and Remote Authenticated Users Gain Elevated Privileges
IBM has issued a fix for IBM Security Guardium.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC