ID CVE-2016-6663
Summary Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
References
Vulnerable Configurations
  • Percona XtraDB Cluster 5.5
    cpe:2.3:a:percona:xtradb_cluster:5.5
  • Percona XtraDB Cluster 5.5.27-23.6
    cpe:2.3:a:percona:xtradb_cluster:5.5.27-23.6
  • Percona XtraDB Cluster 5.5.29-23.7.1
    cpe:2.3:a:percona:xtradb_cluster:5.5.29-23.7.1
  • Percona XtraDB Cluster 5.5.29-23.7.2
    cpe:2.3:a:percona:xtradb_cluster:5.5.29-23.7.2
  • Percona XtraDB Cluster 5.5.30-23.7.4
    cpe:2.3:a:percona:xtradb_cluster:5.5.30-23.7.4
  • Percona XtraDB Cluster 5.5.31-23.7.5
    cpe:2.3:a:percona:xtradb_cluster:5.5.31-23.7.5
  • Percona XtraDB Cluster 5.5.34-25.9
    cpe:2.3:a:percona:xtradb_cluster:5.5.34-25.9
  • Percona XtraDB Cluster 5.5.37-25.10
    cpe:2.3:a:percona:xtradb_cluster:5.5.37-25.10
  • Percona XtraDB Cluster 5.5.39-25.11
    cpe:2.3:a:percona:xtradb_cluster:5.5.39-25.11
  • Percona XtraDB Cluster 5.6
    cpe:2.3:a:percona:xtradb_cluster:5.6
  • Percona XtraDB Cluster 5.6.14-25.1
    cpe:2.3:a:percona:xtradb_cluster:5.6.14-25.1
  • Percona XtraDB Cluster 5.6.15-25.2
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.2
  • Percona XtraDB Cluster 5.6.15-25.3
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.3
  • Percona XtraDB Cluster 5.6.15-25.4
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.4
  • Percona XtraDB Cluster 5.6.15-25.5
    cpe:2.3:a:percona:xtradb_cluster:5.6.15-25.5
  • Percona XtraDB Cluster 5.6.19-25.6
    cpe:2.3:a:percona:xtradb_cluster:5.6.19-25.6
  • Percona XtraDB Cluster 5.6.20-25.7
    cpe:2.3:a:percona:xtradb_cluster:5.6.20-25.7
  • Percona XtraDB Cluster 5.6.21-25.8
    cpe:2.3:a:percona:xtradb_cluster:5.6.21-25.8
  • Percona XtraDB Cluster 5.6.22-25.8
    cpe:2.3:a:percona:xtradb_cluster:5.6.22-25.8
  • Percona XtraDB Cluster 5.6.24-25.11
    cpe:2.3:a:percona:xtradb_cluster:5.6.24-25.11
  • Percona XtraDB Cluster 5.6.25-25.12
    cpe:2.3:a:percona:xtradb_cluster:5.6.25-25.12
  • Percona XtraDB Cluster 5.6.26-25.12
    cpe:2.3:a:percona:xtradb_cluster:5.6.26-25.12
  • Percona XtraDB Cluster 5.6.27-25.13
    cpe:2.3:a:percona:xtradb_cluster:5.6.27-25.13
  • Percona XtraDB Cluster 5.6.28-25.14
    cpe:2.3:a:percona:xtradb_cluster:5.6.28-25.14
  • Percona XtraDB Cluster 5.6.29-25.15
    cpe:2.3:a:percona:xtradb_cluster:5.6.29-25.15
  • Percona XtraDB Cluster 5.6.30-25.16
    cpe:2.3:a:percona:xtradb_cluster:5.6.30-25.16
  • Percona XtraDB Cluster 5.6.30-25.16.2
    cpe:2.3:a:percona:xtradb_cluster:5.6.30-25.16.2
  • Percona XtraDB Cluster 5.6.30-25.16.3
    cpe:2.3:a:percona:xtradb_cluster:5.6.30-25.16.3
  • Percona XtraDB Cluster 5.7
    cpe:2.3:a:percona:xtradb_cluster:5.7
  • Percona XtraDB Cluster 5.7.11-4 Beta-25.14.2
    cpe:2.3:a:percona:xtradb_cluster:5.7.11-4:beta-25.14.2
  • Percona XtraDB Cluster 5.7.11-25.14.2 Beta
    cpe:2.3:a:percona:xtradb_cluster:5.7.11-25.14.2:beta
  • Percona XtraDB Cluster 5.7.12-26.16 Release Candidate 1
    cpe:2.3:a:percona:xtradb_cluster:5.7.12-26.16:rc1
  • MariaDB 5.5.20
    cpe:2.3:a:mariadb:mariadb:5.5.20
  • MariaDB 5.5.21
    cpe:2.3:a:mariadb:mariadb:5.5.21
  • MariaDB 5.5.22
    cpe:2.3:a:mariadb:mariadb:5.5.22
  • MariaDB 5.5.23
    cpe:2.3:a:mariadb:mariadb:5.5.23
  • MariaDB 5.5.24
    cpe:2.3:a:mariadb:mariadb:5.5.24
  • MariaDB 5.5.25
    cpe:2.3:a:mariadb:mariadb:5.5.25
  • MariaDB 5.5.27
    cpe:2.3:a:mariadb:mariadb:5.5.27
  • MariaDB 5.5.28
    cpe:2.3:a:mariadb:mariadb:5.5.28
  • MariaDB 5.5.28a
    cpe:2.3:a:mariadb:mariadb:5.5.28a
  • MariaDB 5.5.33
    cpe:2.3:a:mariadb:mariadb:5.5.33
  • MariaDB 5.5.33a
    cpe:2.3:a:mariadb:mariadb:5.5.33:a
  • MariaDB 5.5.34
    cpe:2.3:a:mariadb:mariadb:5.5.34
  • MariaDB 5.5.35
    cpe:2.3:a:mariadb:mariadb:5.5.35
  • MariaDB 5.5.40
    cpe:2.3:a:mariadb:mariadb:5.5.40
  • MariaDB 5.5.43
    cpe:2.3:a:mariadb:mariadb:5.5.43
  • MariaDB 5.5.46
    cpe:2.3:a:mariadb:mariadb:5.5.46
  • MariaDB 5.5.47
    cpe:2.3:a:mariadb:mariadb:5.5.47
  • MariaDB 5.5.48
    cpe:2.3:a:mariadb:mariadb:5.5.48
  • MariaDB 5.5.49
    cpe:2.3:a:mariadb:mariadb:5.5.49
  • MariaDB 5.5.50
    cpe:2.3:a:mariadb:mariadb:5.5.50
  • MariaDB 5.5.51
    cpe:2.3:a:mariadb:mariadb:5.5.51
  • MariaDB 10.0.0
    cpe:2.3:a:mariadb:mariadb:10.0.0
  • MariaDB 10.0.1
    cpe:2.3:a:mariadb:mariadb:10.0.1
  • MariaDB 10.0.2
    cpe:2.3:a:mariadb:mariadb:10.0.2
  • MariaDB 10.0.3
    cpe:2.3:a:mariadb:mariadb:10.0.3
  • MariaDB 10.0.4
    cpe:2.3:a:mariadb:mariadb:10.0.4
  • MariaDB 10.0.5
    cpe:2.3:a:mariadb:mariadb:10.0.5
  • MariaDB 10.0.6
    cpe:2.3:a:mariadb:mariadb:10.0.6
  • MariaDB 10.0.7
    cpe:2.3:a:mariadb:mariadb:10.0.7
  • MariaDB 10.0.8
    cpe:2.3:a:mariadb:mariadb:10.0.8
  • MariaDB 10.0.9
    cpe:2.3:a:mariadb:mariadb:10.0.9
  • MariaDB 10.0.10
    cpe:2.3:a:mariadb:mariadb:10.0.10
  • MariaDB 10.0.11
    cpe:2.3:a:mariadb:mariadb:10.0.11
  • MariaDB 10.0.12
    cpe:2.3:a:mariadb:mariadb:10.0.12
  • MariaDB 10.0.13
    cpe:2.3:a:mariadb:mariadb:10.0.13
  • MariaDB 10.0.14
    cpe:2.3:a:mariadb:mariadb:10.0.14
  • MariaDB 10.0.15
    cpe:2.3:a:mariadb:mariadb:10.0.15
  • MariaDB 10.0.16
    cpe:2.3:a:mariadb:mariadb:10.0.16
  • MariaDB 10.0.17
    cpe:2.3:a:mariadb:mariadb:10.0.17
  • MariaDB 10.0.18
    cpe:2.3:a:mariadb:mariadb:10.0.18
  • MariaDB 10.0.19
    cpe:2.3:a:mariadb:mariadb:10.0.19
  • MariaDB 10.0.20
    cpe:2.3:a:mariadb:mariadb:10.0.20
  • MariaDB 10.0.21
    cpe:2.3:a:mariadb:mariadb:10.0.21
  • MariaDB 10.0.22
    cpe:2.3:a:mariadb:mariadb:10.0.22
  • MariaDB 10.0.23
    cpe:2.3:a:mariadb:mariadb:10.0.23
  • MariaDB 10.0.24
    cpe:2.3:a:mariadb:mariadb:10.0.24
  • MariaDB 10.0.25
    cpe:2.3:a:mariadb:mariadb:10.0.25
  • MariaDB 10.0.26
    cpe:2.3:a:mariadb:mariadb:10.0.26
  • MariaDB 10.0.27
    cpe:2.3:a:mariadb:mariadb:10.0.27
  • Oracle MySQL 8.0
    cpe:2.3:a:oracle:mysql:8.0
CVSS
Base: 4.4 (as of 19-01-2017 - 11:55)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition. CVE-2016-5616,CVE-2016-6663. Local exploit for Lin...
file exploits/linux/local/40678.c
id EDB-ID:40678
last seen 2016-11-02
modified 2016-11-01
platform linux
port
published 2016-11-01
reporter Dawid Golunski
source https://www.exploit-db.com/download/40678/
title MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
type local
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0035.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix date in the test - Fix (CVE-2016-6662, CVE-2016-6663) Resolves: #1397309 - Fixed reload_acl_and_cache Resolves: #1281370 - Add support for TLSv1.1 and TLSv1.2 - Fixed test events_1 (end date in past) Resolves: #1287048
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 96790
    published 2017-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96790
    title OracleVM 3.3 / 3.4 : mysql (OVMSA-2017-0035)
  • NASL family Databases
    NASL id MYSQL_5_7_15.NASL
    description The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) - An unspecified flaw exists in the Security: Privileges subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-8286) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An information disclosure vulnerability exists in the validate_password plugin due to passwords that have been rejected being written as plaintext to the error log. A local attacker can exploit this to more easily guess what passwords might have been chosen and accepted. - A flaw exists in InnoDB when handling an ALTER TABLE ... ENCRYPTION='Y', ALGORITHM=COPY operation that is applied to a table in the system tablespace. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93379
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93379
    title MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MYSQL_5_7_15_RPM.NASL
    description The version of MySQL running on the remote host is 5.7.x prior to 5.7.15. It is, therefore, affected by multiple vulnerabilities : - Multiple unspecified flaws exist in the Optimizer subcomponent that allow an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492, CVE-2016-5632) - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the Error Handling subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5617) - An unspecified flaw exists in the Packaging subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5625) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition.(CVE-2016-8283) - An unspecified flaw exists in the Security: Privileges subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-8286) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An information disclosure vulnerability exists in the validate_password plugin due to passwords that have been rejected being written as plaintext to the error log. A local attacker can exploit this to more easily guess what passwords might have been chosen and accepted. - A flaw exists in InnoDB when handling an ALTER TABLE ... ENCRYPTION='Y', ALGORITHM=COPY operation that is applied to a table in the system tablespace. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93380
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93380
    title MySQL 5.7.x < 5.7.15 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0184.NASL
    description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96756
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96756
    title RHEL 6 : mysql (RHSA-2017:0184)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-800.NASL
    description It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-5616 , CVE-2016-6663)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 97329
    published 2017-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97329
    title Amazon Linux AMI : mysql51 (ALAS-2017-800)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0184.NASL
    description From Red Hat Security Advisory 2017:0184 : An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 96753
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96753
    title Oracle Linux 6 : mysql (ELSA-2017-0184)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL73828041.NASL
    description Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table. (CVE-2016-6663)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 112023
    published 2018-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112023
    title F5 Networks BIG-IP : MySQL vulnerability (K73828041)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2595.NASL
    description From Red Hat Security Advisory 2016:2595 : An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94715
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94715
    title Oracle Linux 7 : mariadb (ELSA-2016-2595)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_MARIADB_ON_SL7_X.NASL
    description The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). Security Fix(es) : - It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes :
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 95847
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95847
    title Scientific Linux Security Update : mariadb on SL7.x x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2932-1.NASL
    description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Notable changes : - XtraDB updated to 5.6.33-79.0 - TokuDB updated to 5.6.33-79.0 - Innodb updated to 5.6.33 - Performance Schema updated to 5.6.33 - Release notes and upstream changelog : - https://kb.askmonty.org/en/mariadb-10028-release-notes - https://kb.askmonty.org/en/mariadb-10028-changelog Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 95383
    published 2016-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95383
    title SUSE SLES12 Security Update : mariadb (SUSE-SU-2016:2932-1)
  • NASL family Databases
    NASL id MYSQL_5_5_52_RPM.NASL
    description The version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93376
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93376
    title MySQL 5.5.x < 5.5.52 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_22373C43D72811E6A9A5B499BAEBFEAF.NASL
    description The MySQL project reports : - CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer' sub component. - CVE-2016-5616, CVE-2016-6663: Race condition allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table. - CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files. - CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub component. - CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub component. - CVE-2016-5629: Remote security vulnerability in 'Server: Federated' sub component. - CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub component.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 96510
    published 2017-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96510
    title FreeBSD : MySQL -- multiple vulnerabilities (22373c43-d728-11e6-a9a5-b499baebfeaf)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1062.NASL
    description According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.(CVE-2016-3492) - Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-5612) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM.(CVE-2016-5616) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML.(CVE-2016-5624) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS.(CVE-2016-5626) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated.(CVE-2016-5629) - Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib.(CVE-2016-6662) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.(CVE-2016-6663) - Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types.(CVE-2016-8283) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99824
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99824
    title EulerOS 2.0 SP1 : mariadb (EulerOS-SA-2016-1062)
  • NASL family Databases
    NASL id MYSQL_5_5_52.NASL
    description The version of MySQL running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93375
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93375
    title MySQL 5.5.x < 5.5.52 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MARIADB_5_5_52.NASL
    description The version of MariaDB running on the remote host is 5.5.x prior to 5.5.52. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated remote attacker to cause a denial of service condition. (CVE-2016-5629) - A security bypass vulnerability exists that allows an authenticated, remote attacker to bypass file access restrictions and create the /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the Item_field::fix_after_pullout() function within file sql/item.cc when handling a prepared statement with conversion to semi-join. An authenticated, remote attacker can exploit this to cause a denial of service condition. - An assertion flaw exists in the mysql_admin_table() function within file sql/sql_admin.cc when handling the re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to cause a denial of service condition.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 95633
    published 2016-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95633
    title MariaDB 5.5.x < 5.5.52 Multiple Vulnerabilities
  • NASL family Databases
    NASL id MYSQL_5_6_33_RPM.NASL
    description The version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93378
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93378
    title MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1416.NASL
    description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318) : Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql@default.service (bsc#1004477) - Replace all occurrences of the string '@sysconfdir@' with '/etc' as it wasn't expanded properly (bsc#990890) - Notable changes : - XtraDB updated to 5.6.33-79.0 - TokuDB updated to 5.6.33-79.0 - Innodb updated to 5.6.33 - Performance Schema updated to 5.6.33 - Release notes and upstream changelog : - https://kb.askmonty.org/en/mariadb-10028-release-notes - https://kb.askmonty.org/en/mariadb-10028-changelog This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 95596
    published 2016-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95596
    title openSUSE Security Update : mariadb (openSUSE-2016-1416)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3711.NASL
    description Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.28. Please see the MariaDB 10.0 Release Notes for further details : - https://mariadb.com/kb/en/mariadb/mariadb-10028-release- notes/
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 94743
    published 2016-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94743
    title Debian DSA-3711-1 : mariadb-10.0 - security update
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2595.NASL
    description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95341
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95341
    title CentOS 7 : mariadb (CESA-2016:2595)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2933-1.NASL
    description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql@default.service (bsc#1004477) - Replace all occurrences of the string '@sysconfdir@' with '/etc' as it wasn't expanded properly (bsc#990890) - Notable changes : - XtraDB updated to 5.6.33-79.0 - TokuDB updated to 5.6.33-79.0 - Innodb updated to 5.6.33 - Performance Schema updated to 5.6.33 - Release notes and upstream changelog : - https://kb.askmonty.org/en/mariadb-10028-release-notes - https://kb.askmonty.org/en/mariadb-10028-changelog Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 95384
    published 2016-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95384
    title SUSE SLED12 / SLES12 Security Update : Recommended update for mariadb (SUSE-SU-2016:2933-1)
  • NASL family Databases
    NASL id MARIADB_10_1_18.NASL
    description The version of MariaDB running on the remote host is 10.1.x prior to 10.1.18. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated remote attacker to cause a denial of service condition. (CVE-2016-5629) - A security bypass vulnerability exists that allows an authenticated, remote attacker to bypass file access restrictions and create the /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. (CVE-2016-6663) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the Item_field::fix_after_pullout() function within file sql/item.cc when handling a prepared statement with conversion to semi-join. An authenticated, remote attacker can exploit this to cause a denial of service condition. - An assertion flaw exists in the mysql_admin_table() function within file sql/sql_admin.cc when handling the re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to cause a denial of service condition.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 95632
    published 2016-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95632
    title MariaDB 10.1.x < 10.1.18 Multiple Vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-305-03.NASL
    description New mariadb packages are available for Slackware 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-01
    modified 2017-09-21
    plugin id 94440
    published 2016-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94440
    title Slackware 14.1 / 14.2 / current : mariadb (SSA:2016-305-03)
  • NASL family Databases
    NASL id MARIADB_10_0_28.NASL
    description The version of MariaDB running on the remote host is 10.0.x prior to 10.0.28. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Optimizer subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-3492) - An unspecified flaw exists in the Security: Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-5584) - An unspecified flaw exists in the MyISAM subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-5616) - An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5624) - An unspecified flaw exists in the GIS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5626) - An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5629) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists in wolfSSL, specifically within the C software version of AES Encryption and Decryption, due to table lookups not properly considering cache-bank access times. A local attacker can exploit this, via a specially crafted application, to disclose AES keys. Note that this vulnerability does not affect MariaDB packages included in Red Hat products since they're built against system OpenSSL packages. (CVE-2016-7440) - An unspecified flaw exists in the Types subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-8283) - A flaw exists in the fix_after_pullout() function in item.cc that is triggered when handling a prepared statement with a conversion to semi-join. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition. - A flaw exists in the mysql_admin_table() function in sql_admin.cc that is triggered when handling re-execution of certain ANALYZE TABLE prepared statements. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition. - A flaw exists in the fill_alter_inplace_info() function in sql_table.cc that is triggered when altering persistent virtual columns. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition. - A flaw exists in the mysql_rm_table_no_locks() function in sql_table.cc that is triggered during the handling of CREATE OR REPLACE TABLE queries. An authenticated, remote attacker can exploit this to crash the database, resulting in a denial of service condition.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 95540
    published 2016-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95540
    title MariaDB 10.0.x < 10.0.28 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2595.NASL
    description An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es) : * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94558
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94558
    title RHEL 7 : mariadb (RHSA-2016:2595)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170124_MYSQL_ON_SL6_X.NASL
    description Security Fix(es) : - It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) - A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 96758
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96758
    title Scientific Linux Security Update : mysql on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1417.NASL
    description This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318) : Security fixes : - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes : - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql@default.service (bsc#1004477) - Replace all occurrences of the string '@sysconfdir@' with '/etc' as it wasn't expanded properly (bsc#990890) - Notable changes : - XtraDB updated to 5.6.33-79.0 - TokuDB updated to 5.6.33-79.0 - Innodb updated to 5.6.33 - Performance Schema updated to 5.6.33 - Release notes and upstream changelog : - https://kb.askmonty.org/en/mariadb-10028-release-notes - https://kb.askmonty.org/en/mariadb-10028-changelog This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 95597
    published 2016-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95597
    title openSUSE Security Update : mariadb (openSUSE-2016-1417)
  • NASL family Databases
    NASL id MYSQL_5_6_33.NASL
    description The version of MySQL running on the remote host is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the InnoDB subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-5507) - A flaw exists in the check_log_path() function within file sql/sys_vars.cc due to inadequate restrictions on the ability to write to the my.cnf configuration file and allowing the loading of configuration files from path locations not used by current versions. An authenticated, remote attacker can exploit this issue by using specially crafted queries that utilize logging functionality to create new files or append custom content to existing files. This allows the attacker to gain root privileges by inserting a custom .cnf file with a 'malloc_lib=' directive pointing to specially crafted mysql_hookandroot_lib.so file and thereby cause MySQL to load a malicious library the next time it is started. (CVE-2016-6662) - An unspecified flaw exists that allows an authenticated, remote attacker to bypass restrictions and create the /var/lib/mysql/my.cnf file with custom contents without the FILE privilege requirement. (CVE-2016-6663) - A flaw exists that is related to the use of temporary files by REPAIR TABLE. An authenticated, remote attacker can exploit this to gain elevated privileges. - A flaw exists in InnoDB when handling an operation that dropped and created a full-text search table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A flaw exists in InnoDB when accessing full-text auxiliary tables while dropping the indexed table. An authenticated, remote attacker can exploit this to trigger an assertion, resulting in a denial of service condition. - A buffer overflow condition exists when handling long integer values in MEDIUMINT columns due to the improper validation of certain input. An authenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - An unspecified flaw exists due to how a prepared statement uses a parameter in the select list of a derived table that was part of a join. An authenticated, remote attacker can exploit this to cause a server exit, resulting in a denial of service condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 93377
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93377
    title MySQL 5.6.x < 5.6.33 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-0184.NASL
    description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96812
    published 2017-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96812
    title CentOS 6 : mysql (CESA-2017:0184)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-0184.NASL
    description An update for mysql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Security Fix(es) : * It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663, CVE-2016-5616) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-20
    plugin id 101415
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101415
    title Virtuozzo 6 : mysql / mysql-bench / mysql-devel / mysql-embedded / etc (VZLSA-2017-0184)
packetstorm via4
redhat via4
advisories
  • bugzilla
    id 1378936
    title CVE-2016-5616 CVE-2016-6663 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment mysql is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184013
        • comment mysql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164006
      • AND
        • comment mysql-bench is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184005
        • comment mysql-bench is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164008
      • AND
        • comment mysql-devel is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184009
        • comment mysql-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164016
      • AND
        • comment mysql-embedded is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184015
        • comment mysql-embedded is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164010
      • AND
        • comment mysql-embedded-devel is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184017
        • comment mysql-embedded-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164020
      • AND
        • comment mysql-libs is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184019
        • comment mysql-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164014
      • AND
        • comment mysql-server is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184011
        • comment mysql-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164012
      • AND
        • comment mysql-test is earlier than 0:5.1.73-8.el6_8
          oval oval:com.redhat.rhsa:tst:20170184007
        • comment mysql-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110164018
    rhsa
    id RHSA-2017:0184
    released 2017-01-24
    severity Important
    title RHSA-2017:0184: mysql security update (Important)
  • rhsa
    id RHSA-2016:2130
  • rhsa
    id RHSA-2016:2131
  • rhsa
    id RHSA-2016:2595
  • rhsa
    id RHSA-2016:2749
  • rhsa
    id RHSA-2016:2927
  • rhsa
    id RHSA-2016:2928
rpms
  • mariadb-1:5.5.52-1.el7
  • mariadb-bench-1:5.5.52-1.el7
  • mariadb-devel-1:5.5.52-1.el7
  • mariadb-embedded-1:5.5.52-1.el7
  • mariadb-embedded-devel-1:5.5.52-1.el7
  • mariadb-libs-1:5.5.52-1.el7
  • mariadb-server-1:5.5.52-1.el7
  • mariadb-test-1:5.5.52-1.el7
  • mysql-0:5.1.73-8.el6_8
  • mysql-bench-0:5.1.73-8.el6_8
  • mysql-devel-0:5.1.73-8.el6_8
  • mysql-embedded-0:5.1.73-8.el6_8
  • mysql-embedded-devel-0:5.1.73-8.el6_8
  • mysql-libs-0:5.1.73-8.el6_8
  • mysql-server-0:5.1.73-8.el6_8
  • mysql-test-0:5.1.73-8.el6_8
refmap via4
bid
  • 92911
  • 93614
confirm
exploit-db 40678
fulldisc 20161101 MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition Exploit [CVE-2016-6663 / OCVE-2016-5616]
misc https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
mlist [oss-security] 20161025 Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
the hacker news via4
Last major update 19-01-2017 - 13:20
Published 13-12-2016 - 16:59
Last modified 05-03-2019 - 13:23
Back to Top