The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of SQLite: denial of service via Window Functions

Synthesis of the vulnerability 

An attacker can trigger a fatal error via Window Functions of SQLite, in order to trigger a denial of service.
Vulnerable systems: Debian, FreeBSD, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, WebLogic, Percona Server, SQLite, Ubuntu.
Severity of this threat: 1/4.
Creation date: 10/04/2020.
Références of this weakness: cpujan2021, cpujul2020, cpuoct2020, CVE-2020-11655, DLA-2203-1, DLA-2340-1, DLA-2340-2, FreeBSD-SA-20:22.sqlite, USN-4394-1, VIGILANCE-VUL-31994.

Description of the vulnerability 

An attacker can trigger a fatal error via Window Functions of SQLite, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as Debian, FreeBSD, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, WebLogic, Percona Server, SQLite, Ubuntu.

Our Vigil@nce team determined that the severity of this threat note is low.

The trust level is of type confirmed by the editor, with an origin of user account.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer weakness.

Solutions for this threat 

SQLite: patch for Window Functions.
A patch is indicated in information sources.

Debian 8: new sqlite3 packages.
New packages are available:
  Debian 8: sqlite3 3.8.7.1-1+deb8u5

Debian 9: new sqlite3 packages.
New packages are available:
  Debian 9: sqlite3 3.16.2-5+deb9u3

FreeBSD: patch for sqlite3.
A patch is available:
  https://security.FreeBSD.org/patches/SA-20:22/sqlite.12.1.patch
  https://security.FreeBSD.org/patches/SA-20:22/sqlite.11.4.patch
  https://security.FreeBSD.org/patches/SA-20:22/sqlite.11.3.patch

Oracle Communications: CPU of July 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2681987.1
  https://support.oracle.com/rs?type=doc&id=2682459.1
  https://support.oracle.com/rs?type=doc&id=2682014.1
  https://support.oracle.com/rs?type=doc&id=2683787.1
  https://support.oracle.com/rs?type=doc&id=2683788.1
  https://support.oracle.com/rs?type=doc&id=2683789.1
  https://support.oracle.com/rs?type=doc&id=2682045.1
  https://support.oracle.com/rs?type=doc&id=2683831.1
  https://support.oracle.com/rs?type=doc&id=2682010.1
  https://support.oracle.com/rs?type=doc&id=2683832.1
  https://support.oracle.com/rs?type=doc&id=2682500.1
  https://support.oracle.com/rs?type=doc&id=2683241.1
  https://support.oracle.com/rs?type=doc&id=2682011.1
  https://support.oracle.com/rs?type=doc&id=2683840.1
  https://support.oracle.com/rs?type=doc&id=2682018.1
  https://support.oracle.com/rs?type=doc&id=2683841.1
  https://support.oracle.com/rs?type=doc&id=2683842.1
  https://support.oracle.com/rs?type=doc&id=2683843.1
  https://support.oracle.com/rs?type=doc&id=2683845.1

Oracle Fusion Middleware: CPU of October 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2694898.1

Oracle MySQL: version 5.6.51.
The version 5.6.51 is fixed:
  https://support.oracle.com/rs?type=doc&id=2739278.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.33.
The version 5.7.33 is fixed:
  https://support.oracle.com/rs?type=doc&id=2739278.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 8.0.23.
The version 8.0.23 is fixed:
  https://support.oracle.com/rs?type=doc&id=2739278.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Ubuntu: new sqlite3 packages.
New packages are available:
  Ubuntu 20.04 LTS: sqlite3 3.31.1-4ubuntu0.1
  Ubuntu 19.10: sqlite3 3.29.0-2ubuntu0.3
  Ubuntu 18.04 LTS: sqlite3 3.22.0-1ubuntu0.4
  Ubuntu 16.04 LTS: sqlite3 3.11.0-1ubuntu1.5

Wind River Linux: version 10.17.41.21.
The version 10.17.41.21 is fixed:
  https://support2.windriver.com/

Wind River Linux: version 10.18.44.17.
The version 10.18.44.17 is fixed:
  https://support2.windriver.com/

Wind River Linux: version 10.19.45.7.
The version 10.19.45.7 is fixed:
  https://support2.windriver.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity alerts. The technology watch team tracks security threats targeting the computer system.