ID CVE-2015-4895
Summary Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB.
References
Vulnerable Configurations
  • Oracle MySQL 5.6.25
    cpe:2.3:a:oracle:mysql:5.6.25
CVSS
Base: 3.5 (as of 07-04-2016 - 11:39)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Databases
    NASL id MARIADB_10_0_21.NASL
    description The version of MariaDB installed on the remote host is 10.0.x prior to 10.0.21. It is, therefore, affected by the following vulnerabilities : - Multiple unspecified flaws exist in the InnoDB component that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-4816, CVE-2015-4895) - An unspecified flaw exists in the Client Programs component that allows a local attacker to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to impact confidentiality, integrity, and availability. No other details are available. (CVE-2015-4879) - A denial of service vulnerability exists in the base_list_iterator::next_fast() function within file sql/sql_parse.cc when handling multi-table updates. An authenticated, remote attacker can exploit this to crash the server. - A denial of service vulnerability exists in the ACL_internal_schema_registry::lookup() function within file sql/sql_acl.cc when handling multi-table updates. An authenticated, remote attacker can exploit this to crash the server. - A denial of service vulnerability exists in the Item_func_group_concat::fix_fields() function within file sql/item_sum.cc when handling arguments on the second execution of PS. An authenticated, remote attacker can exploit this to crash the server. - A denial of service vulnerability exists in select_lex->non_agg_fields when using ONLY_FULL_GROUP_BY in a stored procedure or trigger that is repeatedly executed. An authenticated, remote attacker can exploit this to crash the server. - A denial of service vulnerability exists in the Materialized_cursor() function within file sql/sql_cursor.cc when handling temporary tables. An authenticated, remote attacker can exploit this to crash the server. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93845
    published 2016-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93845
    title MariaDB 10.0.x < 10.0.21 Multiple Vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-684.NASL
    description wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, also known as a Lenstra attack. (CVE-2015-7744) Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. (CVE-2015-4864) Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. (CVE-2015-4866) Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. (CVE-2015-4861) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2015-4862) Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0616) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached. (CVE-2015-4910) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML, a different vulnerability than CVE-2015-4858 . (CVE-2015-4913) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. (CVE-2016-0610) Unspecified vulnerability in Oracle MySQL 5.6.21 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0594) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0595) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0596) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0597) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0598) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4802 . (CVE-2015-4792) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges. (CVE-2015-4791) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier, when running on Windows, allows remote authenticated users to affect availability via unknown vectors related to Server : Query Cache. (CVE-2015-4807) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser. (CVE-2015-4870) Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0599) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. (CVE-2016-0546) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2015-4913 . (CVE-2015-4858) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DDL. (CVE-2015-4815) Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition. (CVE-2015-4833) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. (CVE-2015-4830) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : SP. (CVE-2015-4836) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to UDF. (CVE-2016-0608) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to privileges. (CVE-2016-0609) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to Options. (CVE-2016-0505) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0503 . (CVE-2016-0504) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Replication. (CVE-2015-4890) Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Partition. (CVE-2016-0601) Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to libmysqld. (CVE-2015-4904) Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML. (CVE-2015-4905) Unspecified vulnerability in Oracle MySQL 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors. (CVE-2016-0605) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect integrity via unknown vectors related to encryption. (CVE-2016-0606) Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect availability via unknown vectors related to Server : Security : Firewall. (CVE-2015-4766) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0611) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to replication. (CVE-2016-0607) Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client programs. (CVE-2015-4819) Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML. (CVE-2015-4879) Unspecified vulnerability in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0502) Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. (CVE-2015-4895) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0504 . (CVE-2016-0503) Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. (CVE-2016-0600) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4792 . (CVE-2015-4802) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. (CVE-2015-4800) Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Types. (CVE-2015-4826)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 90366
    published 2016-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90366
    title Amazon Linux AMI : mysql56 (ALAS-2016-684)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2303-1.NASL
    description The mysql package was updated to version 5.5.46 to fixs several security and non security issues. - bnc#951391: update to version 5.5.46 - changes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 46.html - fixed CVEs: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 - bnc#952196: Fixed a build error for ppc*, s390* and ia64 architectures. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87525
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87525
    title SUSE SLED11 / SLES11 Security Update : mysql (SUSE-SU-2015:2303-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2781-1.NASL
    description Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.46 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 15.04 and Ubuntu 15.10 have been updated to MySQL 5.6.27. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-45.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-46.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-26.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-27.html http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.h tml. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86617
    published 2015-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86617
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : mysql-5.5, mysql-5.6 vulnerabilities (USN-2781-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3385.NASL
    description Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.22. Please see the MariaDB 10.0 Release Notes for further details : - https://mariadb.com/kb/en/mariadb/mariadb-10021-release- notes/ - https://mariadb.com/kb/en/mariadb/mariadb-10022-release- notes/
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 86679
    published 2015-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86679
    title Debian DSA-3385-1 : mariadb-10.0 - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0121-1.NASL
    description MariaDB has been updated to version 10.0.22, which brings fixes for many security issues and other improvements. The following CVEs have been fixed : - 10.0.22: CVE-2015-4802, CVE-2015-4807, CVE-2015-4815, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4913, CVE-2015-4792 - 10.0.21: CVE-2015-4816, CVE-2015-4819, CVE-2015-4879, CVE-2015-4895 The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87964
    published 2016-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87964
    title SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2016:0121-1)
  • NASL family Databases
    NASL id MYSQL_5_6_27.NASL
    description The version of MySQL running on the remote host is 5.6.x prior to 5.6.27. It is, therefore, potentially affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the Types subcomponent. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4826) - An unspecified flaws exist in the Security:Privileges subcomponent. An authenticated, remote attacker can exploit these to impact integrity. (CVE-2015-4830, CVE-2015-4864) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) - An unspecified flaw exists in the Server Security Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2015-7744) Additionally, unspecified denial of service vulnerabilities can also exist in the following MySQL subcomponents : - DDL (CVE-2015-4815) - DML (CVE-2015-4858, CVE-2015-4862, CVE-2015-4905, CVE-2015-4913) - InnoDB (CVE-2015-4861, CVE-2015-4866, CVE-2015-4895) - libmysqld (CVE-2015-4904) - Memcached (CVE-2015-4910) - Optimizer (CVE-2015-4800) - Parser (CVE-2015-4870) - Partition (CVE-2015-4792, CVE-2015-4802, CVE-2015-4833) - Query (CVE-2015-4807) - Replication (CVE-2015-4890) - Security : Firewall (CVE-2015-4766) - Server : General (CVE-2016-0605) - Security : Privileges (CVE-2015-4791) - SP (CVE-2015-4836) - Types (CVE-2015-4730)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 86547
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86547
    title MySQL 5.6.x < 5.6.27 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-889.NASL
    description MySQL was updated to 5.6.27 to fix security issues and bugs. The following vulnerabilities were fixed as part of the upstream release [boo#951391]: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 Details on these and other changes can be found at: http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-27.html The following security relevant changes are included additionally : - CVE-2015-3152: MySQL lacked SSL enforcement. Using --ssl-verify-server-cert and --ssl[-*] implies that the ssl connection is required. The mysql client will now print an error if ssl is required, but the server can not handle a ssl connection [boo#924663], [boo#928962]
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 87442
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87442
    title openSUSE Security Update : mysql (openSUSE-2015-889) (BACKRONYM)
  • NASL family Databases
    NASL id MYSQL_5_6_26_RPM.NASL
    description The version of Oracle MySQL installed on the remote host is 5.6.x prior to 5.6.26. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) Additionally, unspecified denial of service vulnerabilities exist in the following MySQL subcomponents : - InnoDB (CVE-2015-4895) - libmysqld (CVE-2015-4904) - Partition (CVE-2015-4833) - Security:Firewall (CVE-2015-4766)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 86660
    published 2015-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86660
    title Oracle MySQL 5.6.x < 5.6.26 Multiple Vulnerabilities (October 2015 CPU)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-E30164D0A2.NASL
    description This is an update to 10.0.23 that delivers also all fixes for CVE-2015-4792, CVE-2015-4802, CVE-2015-4807, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4879, CVE-2015-4895, CVE-2015-4913, CVE-2015-7744, CVE-2016-0502, CVE-2016-0503, CVE-2016-0504, CVE-2016-0505, CVE-2016-0546, CVE-2016-0594, CVE-2016-0595, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0599, CVE-2016-0600, CVE-2016-0601, CVE-2016-0605, CVE-2016-0606, CVE-2016-0607, CVE-2016-0608, CVE-2016-0609, CVE-2016-0610, CVE-2016-0611, CVE-2016-0616 (some of them were fixed in previous update already). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-06
    plugin id 89628
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89628
    title Fedora 23 : mariadb-10.0.23-1.fc23 (2016-e30164d0a2)
redhat via4
advisories
rhsa
id RHSA-2016:1132
refmap via4
bid 77136
confirm http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
debian DSA-3385
fedora FEDORA-2016-e30164d0a2
sectrack 1033894
ubuntu USN-2781-1
Last major update 23-12-2016 - 21:59
Published 21-10-2015 - 19:59
Last modified 04-01-2018 - 21:30
Back to Top