MariaDB Server 10.2.x < 10.2.3 Multiple DoS

2017-01-26T00:00:00
ID 9916.PRM
Type nessus
Reporter Tenable
Modified 2019-03-06T00:00:00

Description

The version of MariaDB installed on the remote host is 10.2.x prior to 10.2.3, and is affected by multiple DoS vulnerabilities :

  • An flaw exists in the 'wsrep_replicate_myisam' functionality that is triggered when dropping 'myisam' tables. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'trx_state_eq()' function that is triggered during the handling of state errors. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'lock_rec_queue_validate()' function in 'lock/lock0lock.cc' that is triggered during the handling of lock requests. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'date_add_interval()' function in 'sql/sql_time.cc' that is triggered during the handling of INTERVAL arguments. This may allow an authenticated attacker to crash the database.
  • A flaw exists in 'sql/item_subselect.cc' that is triggered during the handling of queries from the select/unit tree. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'Item::check_well_formed_result()' function in 'sql/item.cc' that is triggered during the handling of row validation. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'lex_one_token()' function in 'sql/sql_lex.cc' that is triggered during the handling of a specially crafted query. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'check_contains()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of a specially crafted array. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'QUICK_RANGE_SELECT::init_ror_merged_scan()' function in 'sql/opt_range.cc' that is triggered during the handling of a specially crafted table column. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'Item_func_json_extract::val_str()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of scalar values. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'mark_object()' and 'mark_array()' functions in 'strings/json_lib.c' that is triggered during the handling of 'JSON_VALID' selections. That may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'handle_match()' function in 'strings/json_lib.c' that is triggered during the handling of JSON arrays. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'Item_func_json_array::fix_length_and_dec()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of NULL arguments. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'Item_json_typecast::fix_length_and_dec()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of JSON casting. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'parse_one_or_all()' function in 'sql/item_jsonfunc.cc' that is triggered when handling input passed via the 'one_or_all' parameter. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'Item_func_json_extract::val_str()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of 'value_length'. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'Item_func_json_extract::val_int()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of NULL paths. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'mysql_rm_table_no_locks()' function in 'sql/sql_table.cc' that is triggered when dropping temporary tables. This may allow an authenticated attacker to crash the database. This issue was introduced in commit 7305be2f7e724e5e62961606794beab199d79045 on 2016-06-10.
  • A flaw exists in the 'check_view_single_update()' function in 'sql/sql_insert.cc' that is triggered when inserting specially crafted tables. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'lock_reset_lock_and_trx_wait()' function in 'storage/innobase/lock/lock0lock.cc' that is triggered when handling values (e.g. NULL) in 'wait_lock'. This may allow an authenticated attacker to crash the database.
  • A flaw exists in the 'Item_cache::safe_charset_converter()' function in 'sql/item.cc' that is triggered during the handling of a specially crafted subselect query item. This may allow an authenticated attacker to crash the database.

NOTE: Depending on the database's implementation, it varies if these vulnerabilities require authenticated access (e.g. daily DBA duties) or may be exploited by a remote attacker (e.g. interfaced via a web application).

                                        
                                            Binary data 9916.prm