Lucene search

K
redhatRedHatRHSA-2022:1010
HistoryMar 22, 2022 - 12:12 p.m.

(RHSA-2022:1010) Moderate: rh-mariadb103-mariadb security and bug fix update

2022-03-2212:12:53
CWE-89
access.redhat.com
36
mariadb sql database
multi-user multi-threaded
upgraded packages
security vulnerabilities
cve-2021-2154
cve-2021-2166
cve-2021-2372
cve-2021-2389
cve-2021-35604
cve-2021-46667
cve-2021-46657
cve-2021-46662
cve-2021-46666
bz#2050544
bug fixes
bz#2050516
bz#2050520
bz#2050538
bz#2050549

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.319

Percentile

97.1%

MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL.

The following packages have been upgraded to a later upstream version: rh-mariadb103-mariadb (10.3.32), rh-mariadb103-galera (25.3.34). (BZ#2050544)

Security Fix(es):

  • mysql: Server: DML unspecified vulnerability (CPU Apr 2021) (CVE-2021-2154)

  • mysql: Server: DML unspecified vulnerability (CPU Apr 2021) (CVE-2021-2166)

  • mysql: InnoDB unspecified vulnerability (CPU Jul 2021) (CVE-2021-2372)

  • mysql: InnoDB unspecified vulnerability (CPU Jul 2021) (CVE-2021-2389)

  • mysql: InnoDB unspecified vulnerability (CPU Oct 2021) (CVE-2021-35604)

  • mariadb: Integer overflow in sql_lex.cc integer leading to crash (CVE-2021-46667)

  • mariadb: Crash in get_sort_by_table() in subquery with ORDER BY having outer ref (CVE-2021-46657)

  • mariadb: Crash in set_var.cc via certain UPDATE queries with nested subqueries (CVE-2021-46662)

  • mariadb: Crash caused by mishandling of a pushdown from a HAVING clause to a WHERE clause (CVE-2021-46666)

  • mariadb: No password masking in audit log when using ALTER USER <user> IDENTIFIED BY <password> command (BZ#1981332)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • rh-mariadb103: /etc/security/user_map.conf getting overwritten with mariadb-server upgrade (BZ#2050516)

  • mysqld got signal 6, “WSREP: invalid state ROLLED_BACK (FATAL)” (BZ#2050520)

  • MariaDB logrotate leads to “gzip: stdin: file size changed while zipping” (BZ#2050538)

  • Galera doesn’t work without ‘procps-ng’ package [rhscl-3] (BZ#2050549)

Affected configurations

Vulners
Node
redhatmysqlRange8.0-8040020210824134700.522a0ee4
OR
redhatmariadbRange10.3-8050020220204122328.c5368500
OR
redhatmariadbRange10.5-8050020220204122540.c5368500
OR
redhatmariadbRange10.3-8040020220429075504.522a0ee4
OR
redhatrh-mysql80-mysql-0Range8.0.26-1.el7
OR
redhatrh-mariadb105-galera-0Range26.4.9-3.el7
OR
redhatrh-mariadb105-mariadb-3Range10.5.13-1.el7
OR
redhatrh-mariadb103-galera-0Range25.3.34-4.el7
OR
redhatrh-mariadb103-mariadb-3Range10.3.32-2.el7
OR
redhatmysqlRange8.0-8060020220830124159.ad008a3a
OR
redhatmysqlRange8.0.30-3.el9_0
OR
redhatrh-mysql80-mysql-0Range8.0.30-1.el7
AND
redhatenterprise_linuxMatch8
OR
redhatenterprise_linuxMatch9
VendorProductVersionCPE
redhatmysql*cpe:2.3:a:redhat:mysql:*:*:*:*:*:*:*:*
redhatmariadb*cpe:2.3:a:redhat:mariadb:*:*:*:*:*:*:*:*
redhatrh-mysql80-mysql-0*cpe:2.3:a:redhat:rh-mysql80-mysql-0:*:*:*:*:*:*:*:*
redhatrh-mariadb105-galera-0*cpe:2.3:a:redhat:rh-mariadb105-galera-0:*:*:*:*:*:*:*:*
redhatrh-mariadb105-mariadb-3*cpe:2.3:a:redhat:rh-mariadb105-mariadb-3:*:*:*:*:*:*:*:*
redhatrh-mariadb103-galera-0*cpe:2.3:a:redhat:rh-mariadb103-galera-0:*:*:*:*:*:*:*:*
redhatrh-mariadb103-mariadb-3*cpe:2.3:a:redhat:rh-mariadb103-mariadb-3:*:*:*:*:*:*:*:*
redhatenterprise_linux8cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
redhatenterprise_linux9cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.319

Percentile

97.1%