According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
save_window_function_values in MariaDB before 10.6.3 allows an application crash because of incorrect handling of with_window_func=true for a subquery. (CVE-2021-46658)
MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery. (CVE-2021-46662)
An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27378)
An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27380)
An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27381)
MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements. (CVE-2022-27383)
An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
(CVE-2022-27384)
An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27385)
MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc. (CVE-2022-27386)
MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements. (CVE-2022-27387)
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc. (CVE-2022-27445)
There is an Assertion failure in MariaDB Server v10.9 and below via ‘node->pcur->rel_pos == BTR_PCUR_ON’ at /row/row0mysql.cc. (CVE-2022-27448)
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c. (CVE-2022-27455)
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c. (CVE-2022-27457)
MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_xbstream.cc, when an error occurs (stream_ctxt->dest_file == NULL) while executing the method xbstream_open, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock.
(CVE-2022-31621)
MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31622)
MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (i.e., going to the err label) while executing the method create_worker_threads, the held lock thd->ctrl_mutex is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31623)
MariaDB Server before 10.7 is vulnerable to Denial of Service. While executing the plugin/server_audit/server_audit.c method log_statement_ex, the held lock lock_bigbuffer is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31624)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(164205);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/13");
script_cve_id(
"CVE-2021-46658",
"CVE-2021-46662",
"CVE-2022-27378",
"CVE-2022-27380",
"CVE-2022-27381",
"CVE-2022-27383",
"CVE-2022-27384",
"CVE-2022-27385",
"CVE-2022-27386",
"CVE-2022-27387",
"CVE-2022-27445",
"CVE-2022-27448",
"CVE-2022-27455",
"CVE-2022-27457",
"CVE-2022-31621",
"CVE-2022-31622",
"CVE-2022-31623",
"CVE-2022-31624"
);
script_name(english:"EulerOS 2.0 SP8 : mariadb (EulerOS-SA-2022-2227)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :
- save_window_function_values in MariaDB before 10.6.3 allows an application crash because of incorrect
handling of with_window_func=true for a subquery. (CVE-2021-46658)
- MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in
conjunction with a nested subquery. (CVE-2021-46662)
- An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to
allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27378)
- An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to
allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27380)
- An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow
attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27381)
- MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component
my_strcasecmp_8bit, which is exploited via specially crafted SQL statements. (CVE-2022-27383)
- An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was
discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
(CVE-2022-27384)
- An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server
v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted
SQL statements. (CVE-2022-27385)
- MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component
sql/sql_class.cc. (CVE-2022-27386)
- MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component
decimal_bin_size, which is exploited via specially crafted SQL statements. (CVE-2022-27387)
- MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component
sql/sql_window.cc. (CVE-2022-27445)
- There is an Assertion failure in MariaDB Server v10.9 and below via 'node->pcur->rel_pos == BTR_PCUR_ON'
at /row/row0mysql.cc. (CVE-2022-27448)
- MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component
my_wildcmp_8bit_impl at /strings/ctype-simple.c. (CVE-2022-27455)
- MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component
my_mb_wc_latin1 at /strings/ctype-latin1.c. (CVE-2022-27457)
- MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_xbstream.cc, when
an error occurs (stream_ctxt->dest_file == NULL) while executing the method xbstream_open, the held lock
is not released correctly, which allows local users to trigger a denial of service due to the deadlock.
(CVE-2022-31621)
- MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when
an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads,
the held lock is not released correctly, which allows local users to trigger a denial of service due to
the deadlock. (CVE-2022-31622)
- MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when
an error occurs (i.e., going to the err label) while executing the method create_worker_threads, the held
lock thd->ctrl_mutex is not released correctly, which allows local users to trigger a denial of service
due to the deadlock. (CVE-2022-31623)
- MariaDB Server before 10.7 is vulnerable to Denial of Service. While executing the
plugin/server_audit/server_audit.c method log_statement_ex, the held lock lock_bigbuffer is not released
correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31624)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-2227
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2df561b8");
script_set_attribute(attribute:"solution", value:
"Update the affected mariadb packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-27457");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/29");
script_set_attribute(attribute:"patch_publication_date", value:"2022/08/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/08/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:mariadb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:mariadb-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:mariadb-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
var flag = 0;
var pkgs = [
"mariadb-10.3.9-2.h6.eulerosv2r8",
"mariadb-common-10.3.9-2.h6.eulerosv2r8",
"mariadb-devel-10.3.9-2.h6.eulerosv2r8"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mariadb");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46658
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46662
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27378
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27381
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27383
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27384
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27385
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27386
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27387
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27445
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27448
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27455
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27457
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31621
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31622
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31623
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31624
www.nessus.org/u?2df561b8