The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Oracle MySQL: vulnerabilities of July 2016

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Oracle MySQL.
Vulnerable software: Debian, Unisphere EMC, Fedora, MariaDB ~ precise, MySQL Community, MySQL Enterprise, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Percona Server, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 22.
Creation date: 20/07/2016.
Références of this computer vulnerability: bulletinapr2017, CERTFR-2016-AVI-246, cpujul2016, cpujul2018, CVE-2016-2105, CVE-2016-3424, CVE-2016-3440, CVE-2016-3452, CVE-2016-3459, CVE-2016-3471, CVE-2016-3477, CVE-2016-3486, CVE-2016-3501, CVE-2016-3518, CVE-2016-3521, CVE-2016-3588, CVE-2016-3614, CVE-2016-3615, CVE-2016-5436, CVE-2016-5437, CVE-2016-5439, CVE-2016-5440, CVE-2016-5441, CVE-2016-5442, CVE-2016-5443, CVE-2016-5444, DLA-567-2, DSA-2020-062, DSA-3624-1, DSA-3632-1, FEDORA-2016-c199b14cd9, openSUSE-SU-2016:2278-1, openSUSE-SU-2016:2746-1, openSUSE-SU-2016:2769-1, openSUSE-SU-2016:2788-1, RHSA-2016:1480-01, RHSA-2016:1481-01, RHSA-2016:1601-01, RHSA-2016:1602-01, RHSA-2016:1603-01, RHSA-2016:1604-01, RHSA-2016:1637-01, SUSE-SU-2016:2343-1, USN-3040-1, VIGILANCE-VUL-20173.

Description of the vulnerability 

Several vulnerabilities were announced in Oracle MySQL.

An attacker can use a vulnerability via Server: Parser, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3477]

An attacker can use a vulnerability via Server: Optimizer, in order to trigger a denial of service. [severity:3/4; CVE-2016-3440]

An attacker can use a vulnerability via Server: Security: Encryption, in order to trigger a denial of service. [severity:3/4; CVE-2016-2105]

An attacker can use a vulnerability via Server: Option, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3471]

An attacker can use a vulnerability via Server: FTS, in order to trigger a denial of service. [severity:2/4; CVE-2016-3486]

An attacker can use a vulnerability via Server: Optimizer, in order to trigger a denial of service. [severity:2/4; CVE-2016-3501]

An attacker can use a vulnerability via Server: Optimizer, in order to trigger a denial of service. [severity:2/4; CVE-2016-3518]

An attacker can use a vulnerability via Server: Types, in order to trigger a denial of service. [severity:2/4; CVE-2016-3521]

An attacker can use a vulnerability via Server: InnoDB, in order to trigger a denial of service. [severity:2/4; CVE-2016-3588]

An attacker can use a vulnerability via Server: DML, in order to trigger a denial of service. [severity:2/4; CVE-2016-3615]

An attacker can use a vulnerability via Server: Security: Encryption, in order to trigger a denial of service. [severity:2/4; CVE-2016-3614]

An attacker can use a vulnerability via Server: InnoDB, in order to trigger a denial of service. [severity:2/4; CVE-2016-5436]

An attacker can use a vulnerability via Server: InnoDB, in order to trigger a denial of service. [severity:2/4; CVE-2016-3459]

An attacker can use a vulnerability via Server: Log, in order to trigger a denial of service. [severity:2/4; CVE-2016-5437]

An attacker can use a vulnerability via Server: Optimizer, in order to trigger a denial of service. [severity:2/4; CVE-2016-3424]

An attacker can use a vulnerability via Server: Privileges, in order to trigger a denial of service. [severity:2/4; CVE-2016-5439]

An attacker can use a vulnerability via Server: RBR, in order to trigger a denial of service. [severity:2/4; CVE-2016-5440]

An attacker can use a vulnerability via Server: Replication, in order to trigger a denial of service. [severity:2/4; CVE-2016-5441]

An attacker can use a vulnerability via Server: Security: Encryption, in order to trigger a denial of service. [severity:2/4; CVE-2016-5442]

An attacker can use a vulnerability via Server: Connection, in order to trigger a denial of service. [severity:2/4; CVE-2016-5443]

An attacker can use a vulnerability via Server: Connection, in order to obtain information. [severity:1/4; CVE-2016-5444]

An attacker can use a vulnerability via Server: Security: Encryption, in order to obtain information. [severity:1/4; CVE-2016-3452]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security weakness impacts software or systems such as Debian, Unisphere EMC, Fedora, MariaDB ~ precise, MySQL Community, MySQL Enterprise, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Percona Server, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this threat bulletin is important.

The trust level is of type confirmed by the editor, with an origin of user account.

This bulletin is about 22 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat.

Solutions for this threat 

Oracle MySQL: version 5.7.13.
The version 5.7.13 is fixed:
  https://support.oracle.com/rs?type=doc&id=2157431.1

Oracle MySQL: version 5.6.31.
The version 5.6.31 is fixed:
  https://support.oracle.com/rs?type=doc&id=2157431.1

Oracle MySQL: version 5.5.50.
The version 5.5.50 is fixed:
  https://support.oracle.com/rs?type=doc&id=2157431.1

MariaDB: version 10.1.16.
The version 10.1.16 is fixed:
  https://downloads.mariadb.org/

MariaDB: version 10.0.26.
The version 10.0.26 is fixed:
  https://downloads.mariadb.org/

MariaDB: version 5.5.50.
The version 5.5.50 is fixed:
  https://downloads.mariadb.org/

Debian 8: new mariadb-10.0 packages.
New packages are available:
  Debian 8: mariadb-10.0 10.0.26-0+deb8u1

Debian: new mysql-5.5 packages.
New packages are available:
  Debian 7: mysql-5.5 5.5.50-0+deb7u2
  Debian 8: mysql-5.5 5.5.50-0+deb8u1

Dell EMC Unisphere for PowerMax: solution.
The solution is indicated in information sources.

Fedora 23: new mariadb packages.
New packages are available:
  Fedora 23: mariadb 10.0.26-1.fc23

openSUSE 13.2: new mariadb packages.
New packages are available:
  openSUSE 13.2: mariadb 10.0.27-2.27.1

openSUSE Leap 42.1: new mariadb packages.
New packages are available:
  openSUSE Leap 42.1: mariadb 10.0.26-9.1

openSUSE: new mysql-community-server packages.
New packages are available:
  openSUSE 13.2: mysql-community-server 5.6.34-2.23.1
  openSUSE Leap 42.1: mysql-community-server 5.6.34-19.2
  openSUSE Leap 42.2: mysql-community-server 5.6.34-19.2

Oracle Communications: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2410237.1
  https://support.oracle.com/rs?type=doc&id=2406191.1
  https://support.oracle.com/rs?type=doc&id=2410234.1
  https://support.oracle.com/rs?type=doc&id=2408211.1
  https://support.oracle.com/rs?type=doc&id=2406689.1
  https://support.oracle.com/rs?type=doc&id=2408212.1
  https://support.oracle.com/rs?type=doc&id=2410243.1
  https://support.oracle.com/rs?type=doc&id=2410198.1

Oracle Solaris: patch for third party software of April 2017 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Percona Server: versions 5.5.50-38.0, 5.6.31-77.0 and 5.7.13-6.
Versions 5.5.50-38.0, 5.6.31-77.0 and 5.7.13-6 are fixed:
  https://www.percona.com/blog/2016/07/08/percona-server-5-5-50-38-0-is-now-available/
  https://www.percona.com/blog/2016/07/06/percona-server-5-7-13-6-is-now-available/
  https://www.percona.com/blog/2016/07/07/percona-server-5-6-31-77-0-now-available/

RHEL 7.2: new mariadb packages.
New packages are available:
  RHEL 7: mariadb 5.5.50-1.el7_2

RHEL: new mariadb55-mariadb packages (11/08/2016).
New packages are available:
  RHEL 6: mariadb55-mariadb 5.5.50-1.el6
  RHEL 7: mariadb55-mariadb 5.5.50-1.el7

RHEL: new mariadb55-mariadb packages (25/07/2016).
New packages are available:
  RHEL 6: mariadb55-mariadb 5.5.49-1.el6
  RHEL 7: mariadb55-mariadb 5.5.49-1.el7

RHEL: new mysql55-mysql packages.
New packages are available:
  RHEL 6: mysql55-mysql 5.5.50-1.el6
  RHEL 7: mysql55-mysql 5.5.50-1.el7

RHEL: new rh-mariadb100-mariadb packages.
New packages are available:
  RHEL 6: rh-mariadb100-mariadb 10.0.26-2.el6

RHEL: new rh-mariadb101-mariadb packages.
New packages are available:
  RHEL 6: rh-mariadb101-mariadb 10.1.16-1.el6
  RHEL 7: rh-mariadb101-mariadb 10.1.16-1.el7

RHEL: new rh-mysql56-mysql packages.
New packages are available:
  RHEL 6: rh-mysql56-mysql 5.6.32-1.el6
  RHEL 7: rh-mysql56-mysql 5.6.32-1.el7

SUSE LE 11: new mysql packages.
New packages are available:
  SUSE LE 11 SP4: mysql 5.5.52-0.27.1
  SUSE LE 11 SP3: mysql 5.5.52-0.27.1

Ubuntu: new mysql-server-5.x packages.
New packages are available:
  Ubuntu 16.04 LTS: mysql-server-5.7 5.7.13-0ubuntu0.16.04.2
  Ubuntu 15.10: mysql-server-5.6 5.6.31-0ubuntu0.15.10.1
  Ubuntu 14.04 LTS: mysql-server-5.5 5.5.50-0ubuntu0.14.04.1
  Ubuntu 12.04 LTS: mysql-server-5.5 5.5.50-0ubuntu0.12.04.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a system vulnerability watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.