Lucene search

AmazonALAS-2016-738

HistoryAug 17, 2016 - 1:30 p.m.

Important: mysql55

2016-08-1713:30:00

alas.aws.amazon.com

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

75.8%

JSON

Issue Overview:

It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. (CVE-2016-2047)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to UDF. (CVE-2016-0608)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to privileges. (CVE-2016-0609)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Options. (CVE-2016-0505)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. (CVE-2016-0600)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0616)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption. (CVE-2016-3452)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to DDL. (CVE-2016-0644)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. (CVE-2016-3477)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0596)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0597)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect integrity and availability via vectors related to DML. (CVE-2016-0640)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. (CVE-2016-3521)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect integrity and availability via vectors related to Federated. (CVE-2016-0642)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect confidentiality via vectors related to DML. (CVE-2016-0643)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to Security: Privileges. (CVE-2016-0666)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer. (CVE-2016-0651)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to Replication. (CVE-2016-0650)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0598)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to PS. (CVE-2016-0649)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. (CVE-2016-5440)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Connection. (CVE-2016-5444)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect integrity via unknown vectors related to encryption. (CVE-2016-0606)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to PS. (CVE-2016-0648)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to DML. (CVE-2016-0646)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. (CVE-2016-0546)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to FTS. (CVE-2016-0647)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote authenticated users to affect availability via vectors related to Server: DML. (CVE-2016-3615)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect confidentiality and availability via vectors related to MyISAM. (CVE-2016-0641)

Affected Packages:

mysql55

Issue Correction:
Run yum update mysql55 to update your system.

New Packages:

i686:  
    mysql55-libs-5.5.51-1.11.amzn1.i686  
    mysql55-debuginfo-5.5.51-1.11.amzn1.i686  
    mysql55-bench-5.5.51-1.11.amzn1.i686  
    mysql55-embedded-devel-5.5.51-1.11.amzn1.i686  
    mysql55-test-5.5.51-1.11.amzn1.i686  
    mysql55-devel-5.5.51-1.11.amzn1.i686  
    mysql55-5.5.51-1.11.amzn1.i686  
    mysql55-server-5.5.51-1.11.amzn1.i686  
    mysql-config-5.5.51-1.11.amzn1.i686  
    mysql55-embedded-5.5.51-1.11.amzn1.i686  
  
src:  
    mysql55-5.5.51-1.11.amzn1.src  
  
x86_64:  
    mysql-config-5.5.51-1.11.amzn1.x86_64  
    mysql55-bench-5.5.51-1.11.amzn1.x86_64  
    mysql55-debuginfo-5.5.51-1.11.amzn1.x86_64  
    mysql55-libs-5.5.51-1.11.amzn1.x86_64  
    mysql55-server-5.5.51-1.11.amzn1.x86_64  
    mysql55-embedded-5.5.51-1.11.amzn1.x86_64  
    mysql55-embedded-devel-5.5.51-1.11.amzn1.x86_64  
    mysql55-devel-5.5.51-1.11.amzn1.x86_64  
    mysql55-test-5.5.51-1.11.amzn1.x86_64  
    mysql55-5.5.51-1.11.amzn1.x86_64

Additional References

Red Hat: CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0616, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0666, CVE-2016-2047, CVE-2016-3452, CVE-2016-3477, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440, CVE-2016-5444

Mitre: CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0616, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0666, CVE-2016-2047, CVE-2016-3452, CVE-2016-3477, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440, CVE-2016-5444

OSVersionArchitecturePackageVersionFilename
Amazon Linux1i686mysql55-libs< 5.5.51-1.11.amzn1mysql55-libs-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55-debuginfo< 5.5.51-1.11.amzn1mysql55-debuginfo-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55-bench< 5.5.51-1.11.amzn1mysql55-bench-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55-embedded-devel< 5.5.51-1.11.amzn1mysql55-embedded-devel-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55-test< 5.5.51-1.11.amzn1mysql55-test-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55-devel< 5.5.51-1.11.amzn1mysql55-devel-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55< 5.5.51-1.11.amzn1mysql55-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55-server< 5.5.51-1.11.amzn1mysql55-server-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql-config< 5.5.51-1.11.amzn1mysql-config-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux1i686mysql55-embedded< 5.5.51-1.11.amzn1mysql55-embedded-5.5.51-1.11.amzn1.i686.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	i686	mysql55-libs	< 5.5.51-1.11.amzn1	mysql55-libs-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55-debuginfo	< 5.5.51-1.11.amzn1	mysql55-debuginfo-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55-bench	< 5.5.51-1.11.amzn1	mysql55-bench-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55-embedded-devel	< 5.5.51-1.11.amzn1	mysql55-embedded-devel-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55-test	< 5.5.51-1.11.amzn1	mysql55-test-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55-devel	< 5.5.51-1.11.amzn1	mysql55-devel-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55	< 5.5.51-1.11.amzn1	mysql55-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55-server	< 5.5.51-1.11.amzn1	mysql55-server-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql-config	< 5.5.51-1.11.amzn1	mysql-config-5.5.51-1.11.amzn1.i686.rpm
Amazon Linux	1	i686	mysql55-embedded	< 5.5.51-1.11.amzn1	mysql55-embedded-5.5.51-1.11.amzn1.i686.rpm