ID CVE-2016-6662
Summary Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.
References
Vulnerable Configurations
  • Oracle MySQL 5.5.52
    cpe:2.3:a:oracle:mysql:5.5.52
  • Oracle MySQL 5.6.33
    cpe:2.3:a:oracle:mysql:5.6.33
  • Oracle MySQL 5.7.15
    cpe:2.3:a:oracle:mysql:5.7.15
  • Percona Server 5.5.50-38.0
    cpe:2.3:a:percona:percona_server:5.5.50-38.0
  • Percona Server 5.6.31-77.0
    cpe:2.3:a:percona:percona_server:5.6.31-77.0
  • Percona Server 5.7.13-6
    cpe:2.3:a:percona:percona_server:5.7.13-6
  • MariaDB 5.5.50
    cpe:2.3:a:mariadb:mariadb:5.5.50
  • MariaDB 10.0.0
    cpe:2.3:a:mariadb:mariadb:10.0.0
  • MariaDB 10.0.1
    cpe:2.3:a:mariadb:mariadb:10.0.1
  • MariaDB 10.0.2
    cpe:2.3:a:mariadb:mariadb:10.0.2
  • MariaDB 10.0.3
    cpe:2.3:a:mariadb:mariadb:10.0.3
  • MariaDB 10.0.4
    cpe:2.3:a:mariadb:mariadb:10.0.4
  • MariaDB 10.0.5
    cpe:2.3:a:mariadb:mariadb:10.0.5
  • MariaDB 10.0.6
    cpe:2.3:a:mariadb:mariadb:10.0.6
  • MariaDB 10.0.7
    cpe:2.3:a:mariadb:mariadb:10.0.7
  • MariaDB 10.0.8
    cpe:2.3:a:mariadb:mariadb:10.0.8
  • MariaDB 10.0.9
    cpe:2.3:a:mariadb:mariadb:10.0.9
  • MariaDB 10.0.10
    cpe:2.3:a:mariadb:mariadb:10.0.10
  • MariaDB 10.0.11
    cpe:2.3:a:mariadb:mariadb:10.0.11
  • MariaDB 10.0.12
    cpe:2.3:a:mariadb:mariadb:10.0.12
  • MariaDB 10.0.13
    cpe:2.3:a:mariadb:mariadb:10.0.13
  • MariaDB 10.0.14
    cpe:2.3:a:mariadb:mariadb:10.0.14
  • MariaDB 10.0.15
    cpe:2.3:a:mariadb:mariadb:10.0.15
  • MariaDB 10.0.16
    cpe:2.3:a:mariadb:mariadb:10.0.16
  • MariaDB 10.0.17
    cpe:2.3:a:mariadb:mariadb:10.0.17
  • MariaDB 10.0.18
    cpe:2.3:a:mariadb:mariadb:10.0.18
  • MariaDB 10.0.19
    cpe:2.3:a:mariadb:mariadb:10.0.19
  • MariaDB 10.0.20
    cpe:2.3:a:mariadb:mariadb:10.0.20
  • MariaDB 10.0.21
    cpe:2.3:a:mariadb:mariadb:10.0.21
  • MariaDB 10.0.22
    cpe:2.3:a:mariadb:mariadb:10.0.22
  • MariaDB 10.0.23
    cpe:2.3:a:mariadb:mariadb:10.0.23
  • MariaDB 10.0.24
    cpe:2.3:a:mariadb:mariadb:10.0.24
  • cpe:2.3:a:mariadb:mariadb:10.0.25
    cpe:2.3:a:mariadb:mariadb:10.0.25
  • MariaDB 10.0.26
    cpe:2.3:a:mariadb:mariadb:10.0.26
  • MariaDB 10.1.0
    cpe:2.3:a:mariadb:mariadb:10.1.0
  • MariaDB 10.1.1
    cpe:2.3:a:mariadb:mariadb:10.1.1
  • MariaDB 10.1.2
    cpe:2.3:a:mariadb:mariadb:10.1.2
  • MariaDB 10.1.3
    cpe:2.3:a:mariadb:mariadb:10.1.3
  • MariaDB 10.1.4
    cpe:2.3:a:mariadb:mariadb:10.1.4
  • MariaDB 10.1.5
    cpe:2.3:a:mariadb:mariadb:10.1.5
  • MariaDB 10.1.6
    cpe:2.3:a:mariadb:mariadb:10.1.6
  • MariaDB 10.1.7
    cpe:2.3:a:mariadb:mariadb:10.1.7
  • MariaDB 10.1.8
    cpe:2.3:a:mariadb:mariadb:10.1.8
  • MariaDB 10.1.9
    cpe:2.3:a:mariadb:mariadb:10.1.9
  • MariaDB 10.1.10
    cpe:2.3:a:mariadb:mariadb:10.1.10
  • MariaDB 10.1.11
    cpe:2.3:a:mariadb:mariadb:10.1.11
  • MariaDB 10.1.12
    cpe:2.3:a:mariadb:mariadb:10.1.12
  • MariaDB 10.1.13
    cpe:2.3:a:mariadb:mariadb:10.1.13
  • cpe:2.3:a:mariadb:mariadb:10.1.14
    cpe:2.3:a:mariadb:mariadb:10.1.14
  • MariaDB 10.1.15
    cpe:2.3:a:mariadb:mariadb:10.1.15
  • MariaDB 10.1.16
    cpe:2.3:a:mariadb:mariadb:10.1.16
CVSS
Base: 10.0 (as of 01-11-2016 - 14:04)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description MySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 - Code Execution / Privilege Escalation. CVE-2016-6662. Local exploit for Linux platform
file exploits/linux/local/40360.txt
id EDB-ID:40360
last seen 2016-09-12
modified 2016-09-12
platform linux
port 3306
published 2016-09-12
reporter Dawid Golunski
source https://www.exploit-db.com/download/40360/
title MySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 - Code Execution / Privilege Escalation
type local
nessus via4
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-756.NASL
    description It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.
    last seen 2018-04-19
    modified 2018-04-18
    plugin id 94022
    published 2016-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94022
    title Amazon Linux AMI : mysql55 / mysql56 (ALAS-2016-756)
  • NASL family Databases
    NASL id MYSQL_5_6_34_RPM.NASL
    description The version of MySQL running on the remote host is 5.6.x prior to 5.6.34. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the 'openssl ts' command, to cause denial of service or to disclose sensitive information. (CVE-2016-2180) - A denial of service vulnerability exists in the Anti-Replay feature in the DTLS implementation due to improper handling of epoch sequence numbers in records. An unauthenticated, remote attacker can exploit this, via spoofed DTLS records, to cause legitimate packets to be dropped. (CVE-2016-2181) - An overflow condition exists in the BN_bn2dec() function in bn_print.c due to improper validation of user-supplied input when handling BIGNUM values. An unauthenticated, remote attacker can exploit this to crash the process. (CVE-2016-2182) - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the tls_decrypt_ticket() function in t1_lib.c due to improper handling of ticket HMAC digests. An unauthenticated, remote attacker can exploit this, via a ticket that is too short, to crash the process, resulting in a denial of service. (CVE-2016-6302) - An integer overflow condition exists in the MDC2_Update() function in mdc2dgst.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possibly the execution of arbitrary code. (CVE-2016-6303) - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition. (CVE-2016-6304) - An out-of-bounds read error exists in the certificate parser that allows an unauthenticated, remote attacker to cause a denial of service via crafted certificate operations. (CVE-2016-6306) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. (CVE-2016-7440) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2017-10-29
    modified 2017-01-23
    plugin id 94197
    published 2016-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94197
    title MySQL 5.6.x < 5.6.34 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-01 (MariaDB and MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MariaDB and MySQL. Please review the CVE identifiers referenced below for details. Impact : Attackers could execute arbitrary code, escalate privileges, and impact availability via unspecified vectors. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2017-01-03
    plugin id 96232
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96232
    title GLSA-201701-01 : MariaDB and MySQL: Multiple vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_856B88BF798411E681E7D050996490D0.NASL
    description Dawid Golunski reports : An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 93496
    published 2016-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93496
    title FreeBSD : mysql -- Remote Root Code Execution (856b88bf-7984-11e6-81e7-d050996490d0)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2404-1.NASL
    description This update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed : - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed : - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 93771
    published 2016-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93771
    title SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2016:2404-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2395-1.NASL
    description This update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed : - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and , under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed : - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 93766
    published 2016-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93766
    title SUSE SLES12 Security Update : mariadb (SUSE-SU-2016:2395-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2343-1.NASL
    description This mysql update to verson 5.5.52 fixes the following issues: Security issues fixed : - CVE-2016-3477: Fixed unspecified vulnerability in subcomponent parser (bsc#989913). - CVE-2016-3521: Fixed unspecified vulnerability in subcomponent types (bsc#989919). - CVE-2016-3615: Fixed unspecified vulnerability in subcomponent dml (bsc#989922). - CVE-2016-5440: Fixed unspecified vulnerability in subcomponent rbr (bsc#989926). - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and , under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) More details can be found on: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 52.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 51.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 50.html Bugs fixed : - bsc#967374: properly restart mysql multi instances during upgrade - bnc#937258: multi script to restart after crash Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 93615
    published 2016-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93615
    title SUSE SLES11 Security Update : mysql (SUSE-SU-2016:2343-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2595.NASL
    description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2017-10-29
    modified 2017-01-10
    plugin id 94558
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94558
    title RHEL 7 : mariadb (RHSA-2016:2595)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170124_MYSQL_ON_SL6_X.NASL
    description Security Fix(es) : - It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2017-10-29
    modified 2017-01-25
    plugin id 96758
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96758
    title Scientific Linux Security Update : mysql on SL6.x i386/x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_B64A73897C2711E68AAA5404A68AD561.NASL
    description LegalHackers' reports : RCE Bugs discovered in MySQL and its variants like MariaDB. It works by manipulating my.cnf files and using --malloc-lib. The bug seems fixed in MySQL 5.7.15 by Oracle
    last seen 2017-10-29
    modified 2017-07-05
    plugin id 93582
    published 2016-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93582
    title FreeBSD : Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662 (b64a7389-7c27-11e6-8aaa-5404a68ad561)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1154.NASL
    description This update for mariadb to 10.0.27 fixes the following issues : Security issue fixed : - CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed : - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2017-10-29
    modified 2016-10-13
    plugin id 93854
    published 2016-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93854
    title openSUSE Security Update : mariadb (openSUSE-2016-1154)
  • NASL family Databases
    NASL id MYSQL_5_5_52_RPM.NASL
    description The version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. (VulnDB 143808) - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 143822) - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. (VulnDB 143823) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2017-10-29
    modified 2017-01-23
    plugin id 93376
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93376
    title MySQL 5.5.x < 5.5.52 Multiple Vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_MARIADB_ON_SL7_X.NASL
    description The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). Security Fix(es) : - It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes :
    last seen 2017-10-29
    modified 2016-12-15
    plugin id 95847
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95847
    title Scientific Linux Security Update : mariadb on SL7.x x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-0901301DFF.NASL
    description Update to MySQL 5.7.15, Security fix for CVE-2016-6662 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 93724
    published 2016-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93724
    title Fedora 24 : community-mysql (2016-0901301dff)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-624.NASL
    description Dawid Golunski discovered that the mysqld_safe wrapper provided by the MySQL database server insufficiently restricted the load path for custom malloc implementations, which could result in privilege escalation. The vulnerability was addressed by upgrading MySQL to the new upstream version 5.5.52, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details : https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html For Debian 7 'Wheezy', these problems have been fixed in version 5.5.52-0+deb7u1. We recommend that you upgrade your mysql-5.5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-06
    plugin id 93564
    published 2016-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93564
    title Debian DLA-624-1 : mysql-5.5 security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-800.NASL
    description It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-5616 , CVE-2016-6663)
    last seen 2018-04-19
    modified 2018-04-18
    plugin id 97329
    published 2017-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97329
    title Amazon Linux AMI : mysql51 (ALAS-2017-800)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1274.NASL
    description This update for mariadb to 10.0.27 fixes the following issues : - release notes : - https://kb.askmonty.org/en/mariadb-10027-release-notes - https://kb.askmonty.org/en/mariadb-10026-release-notes - changelog : - https://kb.askmonty.org/en/mariadb-10027-changelog - https://kb.askmonty.org/en/mariadb-10026-changelog - fixed CVE's 10.0.27: CVE-2016-5612, CVE-2016-5630, CVE-2016-6662 10.0.26: CVE-2016-5440, CVE-2016-3615, CVE-2016-3521, CVE-2016-3477 - fix: [boo#1005561], [boo#1005570], [boo#998309], [boo#989926], [boo#989922], [boo#989919], [boo#989913] - requires devel packages for aio and lzo2 - remove mariadb-10.0.21-mysql-test_main_bootstrap.patch that is no longer needed [boo#984858] - append '--ignore-db-dir=lost+found' to the mysqld options in 'mysql-systemd-helper' script if 'lost+found' directory is found in $datadir [boo#986251] - remove syslog.target from *.service files [boo#983938] - add systemd to deps to build on leap and friends - replace '%{_libexecdir}/systemd/system' with %{_unitdir} macro - remove useless mysql@default.service [boo#971456] - make ORDER BY optimization functions take into account multiple equalities [boo#949520] - adjust mysql-test results in order to take account of a new option (orderby_uses_equalities) added by the optimizer patch [boo#1003800] - replace all occurrences of the string '@sysconfdir@' with '/etc' in mysql-community-server-5.1.46-logrotate.patch as it wasn't expanded properly [boo#990890]
    last seen 2017-10-29
    modified 2016-11-09
    plugin id 94649
    published 2016-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94649
    title openSUSE Security Update : mariadb (openSUSE-2016-1274)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-257-01.NASL
    description New mariadb or mysql packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen 2017-10-29
    modified 2016-10-19
    plugin id 93484
    published 2016-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93484
    title Slackware 14.0 / 14.1 / 14.2 / current : mariadb / mysql (SSA:2016-257-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3666.NASL
    description Dawid Golunski discovered that the mysqld_safe wrapper provided by the MySQL database server insufficiently restricted the load path for custom malloc implementations, which could result in privilege escalation. The vulnerability was addressed by upgrading MySQL to the new upstream version 5.5.52, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details : - https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5 -51.html - https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5 -52.html
    last seen 2017-10-29
    modified 2016-12-06
    plugin id 93486
    published 2016-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93486
    title Debian DSA-3666-1 : mysql-5.5 - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-58F90AE3CC.NASL
    description Update to 10.0.27, which also includes a security fix for CVE-2016-6662. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 93881
    published 2016-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93881
    title Fedora 23 : 1:mariadb (2016-58f90ae3cc)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1289.NASL
    description mysql-community-server was updated to 5.6.34 to fix the following issues : - Changes http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 34.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 33.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 32.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 31.html - fixed CVEs: CVE-2016-6304, CVE-2016-6662, CVE-2016-7440, CVE-2016-5584, CVE-2016-5617, CVE-2016-5616, CVE-2016-5626, CVE-2016-3492, CVE-2016-5629, CVE-2016-5507, CVE-2016-8283, CVE-2016-5609, CVE-2016-5612, CVE-2016-5627, CVE-2016-5630, CVE-2016-8284, CVE-2016-8288, CVE-2016-3477, CVE-2016-2105, CVE-2016-3486, CVE-2016-3501, CVE-2016-3521, CVE-2016-3615, CVE-2016-3614, CVE-2016-3459, CVE-2016-5439, CVE-2016-5440 - fixes SUSE Bugs: [boo#999666], [boo#998309], [boo#1005581], [boo#1005558], [boo#1005563], [boo#1005562], [boo#1005566], [boo#1005555], [boo#1005569], [boo#1005557], [boo#1005582], [boo#1005560], [boo#1005561], [boo#1005567], [boo#1005570], [boo#1005583], [boo#1005586], [boo#989913], [boo#977614], [boo#989914], [boo#989915], [boo#989919], [boo#989922], [boo#989921], [boo#989911], [boo#989925], [boo#989926] - append '--ignore-db-dir=lost+found' to the mysqld options in 'mysql-systemd-helper' script if 'lost+found' directory is found in $datadir [boo#986251] - remove syslog.target from *.service files [boo#983938] - add systemd to deps to build on leap and friends - replace '%{_libexecdir}/systemd/system' with %{_unitdir} macro - remove useless mysql@default.service [boo#971456] - replace all occurrences of the string '@sysconfdir@' with '/etc' in mysql-community-server-5.6.3-logrotate.patch as it wasn't expanded properly [boo#990890] - remove '%define _rundir' as 13.1 is out of support scope - run 'usermod -g mysql mysql' only if mysql user is not in mysql group. Run 'usermod -s /bin/false/ mysql' only if mysql user doesn't have '/bin/false' shell set. - re-enable mysql profiling
    last seen 2017-10-29
    modified 2016-11-14
    plugin id 94756
    published 2016-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94756
    title openSUSE Security Update : mysql-community-server (openSUSE-2016-1289)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1283.NASL
    description mysql-community-server was updated to 5.6.34 to fix the following issues : - Changes http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 34.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 33.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 32.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6- 31.html - fixed CVEs: CVE-2016-6304, CVE-2016-6662, CVE-2016-7440, CVE-2016-5584, CVE-2016-5617, CVE-2016-5616, CVE-2016-5626, CVE-2016-3492, CVE-2016-5629, CVE-2016-5507, CVE-2016-8283, CVE-2016-5609, CVE-2016-5612, CVE-2016-5627, CVE-2016-5630, CVE-2016-8284, CVE-2016-8288, CVE-2016-3477, CVE-2016-2105, CVE-2016-3486, CVE-2016-3501, CVE-2016-3521, CVE-2016-3615, CVE-2016-3614, CVE-2016-3459, CVE-2016-5439, CVE-2016-5440 - fixes SUSE Bugs: [boo#999666], [boo#998309], [boo#1005581], [boo#1005558], [boo#1005563], [boo#1005562], [boo#1005566], [boo#1005555], [boo#1005569], [boo#1005557], [boo#1005582], [boo#1005560], [boo#1005561], [boo#1005567], [boo#1005570], [boo#1005583], [boo#1005586], [boo#989913], [boo#977614], [boo#989914], [boo#989915], [boo#989919], [boo#989922], [boo#989921], [boo#989911], [boo#989925], [boo#989926] - append '--ignore-db-dir=lost+found' to the mysqld options in 'mysql-systemd-helper' script if 'lost+found' directory is found in $datadir [boo#986251] - remove syslog.target from *.service files [boo#983938] - add systemd to deps to build on leap and friends - replace '%{_libexecdir}/systemd/system' with %{_unitdir} macro - remove useless mysql@default.service [boo#971456] - replace all occurrences of the string '@sysconfdir@' with '/etc' in mysql-community-server-5.6.3-logrotate.patch as it wasn't expanded properly [boo#990890] - remove '%define _rundir' as 13.1 is out of support scope - run 'usermod -g mysql mysql' only if mysql user is not in mysql group. Run 'usermod -s /bin/false/ mysql' only if mysql user doesn't have '/bin/false' shell set. - re-enable mysql profiling
    last seen 2017-10-29
    modified 2016-11-14
    plugin id 94694
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94694
    title openSUSE Security Update : mysql-community-server (openSUSE-2016-1283)
  • NASL family Databases
    NASL id MYSQL_5_6_34.NASL
    description The version of MySQL running on the remote host is 5.6.x prior to 5.6.34. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the 'openssl ts' command, to cause denial of service or to disclose sensitive information. (CVE-2016-2180) - A denial of service vulnerability exists in the Anti-Replay feature in the DTLS implementation due to improper handling of epoch sequence numbers in records. An unauthenticated, remote attacker can exploit this, via spoofed DTLS records, to cause legitimate packets to be dropped. (CVE-2016-2181) - An overflow condition exists in the BN_bn2dec() function in bn_print.c due to improper validation of user-supplied input when handling BIGNUM values. An unauthenticated, remote attacker can exploit this to crash the process. (CVE-2016-2182) - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the tls_decrypt_ticket() function in t1_lib.c due to improper handling of ticket HMAC digests. An unauthenticated, remote attacker can exploit this, via a ticket that is too short, to crash the process, resulting in a denial of service. (CVE-2016-6302) - An integer overflow condition exists in the MDC2_Update() function in mdc2dgst.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possibly the execution of arbitrary code. (CVE-2016-6303) - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition. (CVE-2016-6304) - An out-of-bounds read error exists in the certificate parser that allows an unauthenticated, remote attacker to cause a denial of service via crafted certificate operations. (CVE-2016-6306) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. (CVE-2016-7440) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283)
    last seen 2018-05-18
    modified 2018-05-17
    plugin id 94166
    published 2016-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94166
    title MySQL 5.6.x < 5.6.34 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0184.NASL
    description From Red Hat Security Advisory 2017:0184 : An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2017-10-29
    modified 2017-01-27
    plugin id 96753
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96753
    title Oracle Linux 6 : mysql (ELSA-2017-0184)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2595.NASL
    description From Red Hat Security Advisory 2016:2595 : An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-01-05
    modified 2018-01-05
    plugin id 94715
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94715
    title Oracle Linux 7 : mariadb (ELSA-2016-2595)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2595.NASL
    description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-01-05
    modified 2018-01-05
    plugin id 95341
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95341
    title CentOS 7 : mariadb (CESA-2016:2595)
  • NASL family Databases
    NASL id MYSQL_5_7_15.NASL
    description The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) - An unspecified flaw exists in the Security: Privileges subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-8286) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. (VulnDB 143808) - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143820) - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143821) - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 143822) - An information disclosure vulnerability exists in the validate_password plugin due to passwords that have been rejected being written as plaintext to the error log. A local attacker can exploit this to more easily guess what passwords might have been chosen and accepted. (VulnDB 143824) - A flaw exists in InnoDB when handling an ALTER TABLE ... ENCRYPTION='Y', ALGORITHM=COPY operation that is applied to a table in the system tablespace. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143826) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-05-18
    modified 2018-05-17
    plugin id 93379
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93379
    title MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MARIADB_10_1_17.NASL
    description The version of MariaDB running on the remote host is 10.1.x prior to 10.1.17. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A NULL pointer dereference flaw exists in the innobase_need_rebuild() function when handling renamed columns that allows an authenticated, remote attacker to crash the database, resulting in a denial of service. (VulnDB 143528) - A denial of service vulnerability exists in the ha_myisam::enable_indexes() function within file storage/myisam/ha_myisam.cc when handling ALTER TABLE statements. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143529) - A denial of service vulnerability exists in the Item_sum_std::val_real() function within file sql/item_sum.cc when handling SUM statements. An authenticated, remote attacker exploit this to crash the database. (VulnDB 143531) - A denial of service vulnerability exists within file sql/item_subselect.cc when handling specially crafted queries for non-existent functions. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143736) - A denial of service vulnerability exists in the Item_subselect::is_expensive() function within file sql/item_subselect.cc due to improper handling of optimization procedures. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143755) - A denial of service vulnerability exists in the st_select_lex_unit::cleanup() function within file sql/sql_union.cc when handling UNION queries during JOIN cleanup. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143756)
    last seen 2018-05-18
    modified 2018-05-17
    plugin id 93610
    published 2016-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93610
    title MariaDB 10.1.x < 10.1.17 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MYSQL_5_7_16.NASL
    description The version of MySQL running on the remote host is 5.7.x prior to 5.7.16. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the 'openssl ts' command, to cause denial of service or to disclose sensitive information. (CVE-2016-2180) - A denial of service vulnerability exists in the Anti-Replay feature in the DTLS implementation due to improper handling of epoch sequence numbers in records. An unauthenticated, remote attacker can exploit this, via spoofed DTLS records, to cause legitimate packets to be dropped. (CVE-2016-2181) - An overflow condition exists in the BN_bn2dec() function in bn_print.c due to improper validation of user-supplied input when handling BIGNUM values. An unauthenticated, remote attacker can exploit this to crash the process. (CVE-2016-2182) - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - A flaw exists in the tls_decrypt_ticket() function in t1_lib.c due to improper handling of ticket HMAC digests. An unauthenticated, remote attacker can exploit this, via a ticket that is too short, to crash the process, resulting in a denial of service. (CVE-2016-6302) - An integer overflow condition exists in the MDC2_Update() function in mdc2dgst.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possibly the execution of arbitrary code. (CVE-2016-6303) - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition. (CVE-2016-6304) - An out-of-bounds read error exists in the certificate parser that allows an unauthenticated, remote attacker to cause a denial of service via crafted certificate operations. (CVE-2016-6306) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. (CVE-2016-7440) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-05-18
    modified 2018-05-17
    plugin id 94167
    published 2016-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94167
    title MySQL 5.7.x < 5.7.16 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)
  • NASL family Databases
    NASL id MYSQL_5_5_53.NASL
    description The version of MySQL running on the remote host is 5.5.x prior to 5.5.53. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. (CVE-2016-7440) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-05-22
    modified 2018-05-21
    plugin id 94165
    published 2016-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94165
    title MySQL 5.5.x < 5.5.53 Multiple Vulnerabilities (October 2016 CPU)
  • NASL family Databases
    NASL id MYSQL_5_6_33_RPM.NASL
    description The version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. (VulnDB 143808) - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143820) - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143821) - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 143822) - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. (VulnDB 143823) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2017-10-29
    modified 2017-01-23
    plugin id 93378
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93378
    title MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MARIADB_10_0_27.NASL
    description The version of MariaDB running on the remote host is 10.0.x prior to 10.0.27. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A denial of service vulnerability exists in the emb_stmt_execute() function in file libmysqld/lib_sql.cc when handling queries. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 141702) - A NULL pointer dereference flaw exists in the innobase_need_rebuild() function when handling renamed columns that allows an authenticated, remote attacker to crash the database, resulting in a denial of service. (VulnDB 143528) - A denial of service vulnerability exists in the ha_myisam::enable_indexes() function within file storage/myisam/ha_myisam.cc when handling ALTER TABLE statements. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143529) - A denial of service vulnerability exists in the Item_sum_std::val_real() function within file sql/item_sum.cc when handling SUM statements. An authenticated, remote attacker exploit this to crash the database. (VulnDB 143531) - A denial of service vulnerability exists in the my_double_round() function within file sql/item_func.cc when handling specially crafted queries. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143532) - A denial of service vulnerability exists in the st_select_lex_unit::cleanup() function within file sql/sql_union.cc when handling UNION queries during JOIN cleanup. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143756)
    last seen 2018-05-18
    modified 2018-05-17
    plugin id 93609
    published 2016-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93609
    title MariaDB 10.0.x < 10.0.27 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MARIADB_5_5_51.NASL
    description The version of MariaDB running on the remote host is 5.5.x prior to 5.5.51. It is, therefore, affected by multiple vulnerabilities: - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A denial of service vulnerability exists in the emb_stmt_execute() function in file libmysqld/lib_sql.cc when handling queries. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 141702) - A denial of service vulnerability exists in the st_select_lex_unit::cleanup() function within file sql/sql_union.cc when handling UNION queries during JOIN cleanup. An authenticated, remote attacker can exploit this to crash the database. (VulnDB 143756)
    last seen 2018-05-18
    modified 2018-05-17
    plugin id 93611
    published 2016-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93611
    title MariaDB 5.5.x < 5.5.51 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MYSQL_5_7_16_RPM.NASL
    description The version of MySQL running on the remote host is 5.7.x prior to 5.7.16. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the 'openssl ts' command, to cause denial of service or to disclose sensitive information. (CVE-2016-2180) - A denial of service vulnerability exists in the Anti-Replay feature in the DTLS implementation due to improper handling of epoch sequence numbers in records. An unauthenticated, remote attacker can exploit this, via spoofed DTLS records, to cause legitimate packets to be dropped. (CVE-2016-2181) - An overflow condition exists in the BN_bn2dec() function in bn_print.c due to improper validation of user-supplied input when handling BIGNUM values. An unauthenticated, remote attacker can exploit this to crash the process. (CVE-2016-2182) - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - A flaw exists in the tls_decrypt_ticket() function in t1_lib.c due to improper handling of ticket HMAC digests. An unauthenticated, remote attacker can exploit this, via a ticket that is too short, to crash the process, resulting in a denial of service. (CVE-2016-6302) - An integer overflow condition exists in the MDC2_Update() function in mdc2dgst.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possibly the execution of arbitrary code. (CVE-2016-6303) - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition. (CVE-2016-6304) - An out-of-bounds read error exists in the certificate parser that allows an unauthenticated, remote attacker to cause a denial of service via crafted certificate operations. (CVE-2016-6306) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. (CVE-2016-7440) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2017-10-29
    modified 2017-01-23
    plugin id 94198
    published 2016-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94198
    title MySQL 5.7.x < 5.7.16 Multiple Vulnerabilities (October 2016 CPU) (SWEET32)
  • NASL family Databases
    NASL id MYSQL_5_7_15_RPM.NASL
    description The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) - An unspecified flaw exists in the Security: Privileges subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-8286) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. (VulnDB 143808) - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143820) - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143821) - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 143822) - An information disclosure vulnerability exists in the validate_password plugin due to passwords that have been rejected being written as plaintext to the error log. A local attacker can exploit this to more easily guess what passwords might have been chosen and accepted. (VulnDB 143824) - A flaw exists in InnoDB when handling an ALTER TABLE ... ENCRYPTION='Y', ALGORITHM=COPY operation that is applied to a table in the system tablespace. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143826) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2017-10-29
    modified 2017-01-23
    plugin id 93380
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93380
    title MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2780-1.NASL
    description This mysql version update to 5.5.53 fixes the following issues : - CVE-2016-6662: Unspecified vulnerability in subcomponent Logging (bsc#1005580) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) Release Notes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 53.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-27
    plugin id 94757
    published 2016-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94757
    title SUSE SLES11 Security Update : mysql (SUSE-SU-2016:2780-1)
  • NASL family Databases
    NASL id MYSQL_5_5_52.NASL
    description The version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. (VulnDB 143808) - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 143822) - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. (VulnDB 143823) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-05-22
    modified 2018-05-21
    plugin id 93375
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93375
    title MySQL 5.5.x < 5.5.52 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0184.NASL
    description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2017-10-29
    modified 2017-01-27
    plugin id 96756
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96756
    title RHEL 6 : mysql (RHSA-2017:0184)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-0184.NASL
    description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2017-10-29
    modified 2017-01-27
    plugin id 96812
    published 2017-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96812
    title CentOS 6 : mysql (CESA-2017:0184)
  • NASL family Databases
    NASL id MYSQL_5_5_53_RPM.NASL
    description The version of MySQL running on the remote host is 5.5.x prior to 5.5.53. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. (CVE-2016-7440) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2017-10-29
    modified 2017-01-23
    plugin id 94196
    published 2016-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94196
    title MySQL 5.5.x < 5.5.53 Multiple Vulnerabilities (October 2016 CPU)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1062.NASL
    description According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.(CVE-2016-3492) - Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-5612) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM.(CVE-2016-5616) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-5624) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS.(CVE-2016-5626) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated.(CVE-2016-5629) - Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib.(CVE-2016-6662) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.(CVE-2016-6663) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types.(CVE-2016-8283) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-06-14
    modified 2018-06-13
    plugin id 99824
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99824
    title EulerOS 2.0 SP1 : mariadb (EulerOS-SA-2016-1062)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3078-1.NASL
    description Dawid Golunski discovered that MySQL incorrectly handled configuration files. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. MySQL has been updated to 5.5.52 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04 LTS has been updated to MySQL 5.7.15. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-14.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-12-01
    plugin id 93510
    published 2016-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93510
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : mysql-5.5, mysql-5.7 vulnerability (USN-3078-1)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-0184.NASL
    description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-06-14
    modified 2018-06-13
    plugin id 101415
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101415
    title Virtuozzo 6 : mysql / mysql-bench / mysql-devel / mysql-embedded / etc (VZLSA-2017-0184)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0035.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix date in the test - Fix (CVE-2016-6662, CVE-2016-6663) Resolves: #1397309 - Fixed reload_acl_and_cache Resolves: #1281370 - Add support for TLSv1.1 and TLSv1.2 - Fixed test events_1 (end date in past) Resolves: #1287048
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 96790
    published 2017-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96790
    title OracleVM 3.3 / 3.4 : mysql (OVMSA-2017-0035)
  • NASL family Databases
    NASL id MYSQL_5_6_33.NASL
    description The version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. (VulnDB 143808) - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143820) - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. (VulnDB 143821) - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 143822) - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. (VulnDB 143823) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-05-18
    modified 2018-05-17
    plugin id 93377
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93377
    title MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities
packetstorm via4
redhat via4
advisories
  • rhsa
    id RHSA-2016:2058
  • rhsa
    id RHSA-2016:2059
  • rhsa
    id RHSA-2016:2060
  • rhsa
    id RHSA-2016:2061
  • rhsa
    id RHSA-2016:2062
  • rhsa
    id RHSA-2016:2077
  • rhsa
    id RHSA-2016:2130
  • rhsa
    id RHSA-2016:2131
  • rhsa
    id RHSA-2016:2595
  • rhsa
    id RHSA-2016:2749
  • rhsa
    id RHSA-2016:2927
  • rhsa
    id RHSA-2016:2928
  • rhsa
    id RHSA-2017:0184
rpms
  • mariadb-1:5.5.52-1.el7
  • mariadb-bench-1:5.5.52-1.el7
  • mariadb-devel-1:5.5.52-1.el7
  • mariadb-embedded-1:5.5.52-1.el7
  • mariadb-embedded-devel-1:5.5.52-1.el7
  • mariadb-libs-1:5.5.52-1.el7
  • mariadb-server-1:5.5.52-1.el7
  • mariadb-test-1:5.5.52-1.el7
  • mysql-0:5.1.73-8.el6_8
  • mysql-bench-0:5.1.73-8.el6_8
  • mysql-devel-0:5.1.73-8.el6_8
  • mysql-embedded-0:5.1.73-8.el6_8
  • mysql-embedded-devel-0:5.1.73-8.el6_8
  • mysql-libs-0:5.1.73-8.el6_8
  • mysql-server-0:5.1.73-8.el6_8
  • mysql-test-0:5.1.73-8.el6_8
refmap via4
bid 92912
confirm
debian DSA-3666
fulldisc 20160912 CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
gentoo GLSA-201701-01
misc http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
mlist [oss-security] 20160912 CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
sectrack 1036769
the hacker news via4
Last major update 10-02-2017 - 21:59
Published 20-09-2016 - 14:59
Last modified 04-01-2018 - 21:31
Back to Top