Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details.
I've included a copy of that Matrix for readers to review below.
As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for the recent Shellshock bash vulnerability). 24 of the patches are for MySQL.
I highly advise anyone using MySQL or any Oracle product, including Java, to update their software immediately.
Oracle MySQL Risk Matrix
| CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authen- tication | Confiden- tiality | Integrity | Avail- ability | |||||||
| CVE-2014-6507 | MySQL Server | MySQL Protocol | SERVER:DML | No | 8.0 | Network | Low | Single | Partial+ | Partial+ | Complete | 5.5.39 and eariler, 5.6.20 and earlier | |
| CVE-2014-6491 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 7.5 | Network | Low | None | Partial+ | Partial+ | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
| CVE-2014-6500 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 7.5 | Network | Low | None | Partial+ | Partial+ | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
| CVE-2014-6469 | MySQL Server | MySQL Protocol | SERVER:OPTIMIZER | No | 6.8 | Network | Low | Single | None | None | Complete | 5.5.39 and eariler, 5.6.20 and earlier | |
| CVE-2014-0224 | MySQL Server | MySQL Protocol | SERVER:SSL:OpenSSL | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | 5.6.19 and earlier | See Note 1 |
| CVE-2014-6530 | MySQL Server | MySQL Protocol | CLIENT:MYSQLDUMP | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-6555 | MySQL Server | MySQL Protocol | SERVER:DML | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
| CVE-2014-6489 | MySQL Server | MySQL Protocol | SERVER:SP | No | 5.5 | Network | Low | Single | None | Partial | Partial+ | 5.6.19 and earlier | |
| CVE-2012-5615 | MySQL Server | MySQL Protocol | SERVER:PRIVILEGES AUTHENTICATION PLUGIN API | Yes | 5.0 | Network | Low | None | Partial | None | None | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-6559 | MySQL Server | MySQL Protocol | C API SSL CERTIFICATE HANDLING | Yes | 4.3 | Network | Medium | None | Partial+ | None | None | 5.5.39 and earlier, 5.6.20 and earlier | |
| CVE-2014-6494 | MySQL Server | MySQL Protocol | CLIENT:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | None | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
| CVE-2014-6496 | MySQL Server | MySQL Protocol | CLIENT:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | None | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
| CVE-2014-6495 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | None | Partial | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-6478 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | Partial | None | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-4274 | MySQL Server | MySQL Protocol | SERVER:MyISAM | No | 4.1 | Local | Medium | Single | Partial+ | Partial+ | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-4287 | MySQL Server | MySQL Protocol | SERVER:CHARACTER SETS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-6520 | MySQL Server | MySQL Protocol | SERVER:DDL | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier | |
| CVE-2014-6484 | MySQL Server | MySQL Protocol | SERVER:DML | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-6464 | MySQL Server | MySQL Protocol | SERVER:INNODB DML FOREIGN KEYS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
| CVE-2014-6564 | MySQL Server | MySQL Protocol | SERVER:INNODB FULLTEXT SEARCH DML | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.6.19 and earlier | |
| CVE-2014-6505 | MySQL Server | MySQL Protocol | SERVER:MEMORY STORAGE ENGINE | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-6474 | MySQL Server | Memcached | SERVER:MEMCACHED | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.19 and earlier | |
| CVE-2014-6463 | MySQL Server | MySQL Protocol | SERVER:REPLICATION ROW FORMAT BINARY LOG DML | No | 3.3 | Network | Low | Multiple | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
| CVE-2014-6551 | MySQL Server | MySQL Protocol | CLIENT:MYSQLADMIN | No | 2.1 | Local | Low | None | Partial | None | None | 5.5.38 and earlier, 5.6.19 and earlier | |
No comments:
Post a Comment