Sunday, October 26, 2014

Massive Critical Security Patch Released by Oracle Impacting Most Versions of MySQL

Oracle has released a Critical Security Patch for a long list of Oracle products. For MySQL specifically, the patch purports to resolve a multitude of vulnerabilities that allow remote execution without authentication, and impact nearly all versions of the database software.

Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details.

I've included a copy of that Matrix for readers to review below.

As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for the recent Shellshock bash vulnerability). 24 of the patches are for MySQL.

I highly advise anyone using MySQL or any Oracle product, including Java, to  update their software immediately.



Oracle MySQL Risk Matrix


CVE#ComponentProtocolSub-
component
Remote Exploit without Auth.?CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAccess VectorAccess ComplexityAuthen-
tication
Confiden-
tiality
IntegrityAvail-
ability
CVE-2014-6507MySQL ServerMySQL ProtocolSERVER:DMLNo8.0NetworkLowSinglePartial+Partial+Complete5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-6491MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes7.5NetworkLowNonePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6500MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes7.5NetworkLowNonePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6469MySQL ServerMySQL ProtocolSERVER:OPTIMIZERNo6.8NetworkLowSingleNoneNoneComplete5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-0224MySQL ServerMySQL ProtocolSERVER:SSL:OpenSSLYes6.8NetworkMediumNonePartialPartialPartial5.6.19 and earlierSee Note 1
CVE-2014-6530MySQL ServerMySQL ProtocolCLIENT:MYSQLDUMPNo6.5NetworkLowSinglePartial+Partial+Partial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6555MySQL ServerMySQL ProtocolSERVER:DMLNo6.5NetworkLowSinglePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6489MySQL ServerMySQL ProtocolSERVER:SPNo5.5NetworkLowSingleNonePartialPartial+5.6.19 and earlier
CVE-2012-5615MySQL ServerMySQL ProtocolSERVER:PRIVILEGES AUTHENTICATION PLUGIN APIYes5.0NetworkLowNonePartialNoneNone5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6559MySQL ServerMySQL ProtocolC API SSL CERTIFICATE HANDLINGYes4.3NetworkMediumNonePartial+NoneNone5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6494MySQL ServerMySQL ProtocolCLIENT:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6496MySQL ServerMySQL ProtocolCLIENT:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6495MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6478MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes4.3NetworkMediumNoneNonePartialNone5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4274MySQL ServerMySQL ProtocolSERVER:MyISAMNo4.1LocalMediumSinglePartial+Partial+Partial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4287MySQL ServerMySQL ProtocolSERVER:CHARACTER SETSNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6520MySQL ServerMySQL ProtocolSERVER:DDLNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier
CVE-2014-6484MySQL ServerMySQL ProtocolSERVER:DMLNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6464MySQL ServerMySQL ProtocolSERVER:INNODB DML FOREIGN KEYSNo4.0NetworkLowSingleNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6564MySQL ServerMySQL ProtocolSERVER:INNODB FULLTEXT SEARCH DMLNo4.0NetworkLowSingleNoneNonePartial+5.6.19 and earlier
CVE-2014-6505MySQL ServerMySQL ProtocolSERVER:MEMORY STORAGE ENGINENo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6474MySQL ServerMemcachedSERVER:MEMCACHEDNo3.5NetworkMediumSingleNoneNonePartial+5.6.19 and earlier
CVE-2014-6463MySQL ServerMySQL ProtocolSERVER:REPLICATION ROW FORMAT BINARY LOG DMLNo3.3NetworkLowMultipleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6551MySQL ServerMySQL ProtocolCLIENT:MYSQLADMINNo2.1LocalLowNonePartialNoneNone5.5.38 and earlier, 5.6.19 and earlier


No comments:

Post a Comment