SUSE-SU-2018:1333-1: moderate: mysql
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri May 18 04:12:31 MDT 2018
SUSE Security Update: mysql
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:1333-1
Rating: moderate
References: #1089987
Cross-References: CVE-2018-2755 CVE-2018-2761 CVE-2018-2771
CVE-2018-2773 CVE-2018-2781 CVE-2018-2813
CVE-2018-2817 CVE-2018-2818 CVE-2018-2819
Affected Products:
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________
An update that fixes 9 vulnerabilities is now available.
Description:
This update fixes the following issues:
- Update to 5.5.60 in Oracle Apr2018 CPU (bsc#1089987).
- CVE-2018-2761: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Client programs). Supported versions that are
affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
- CVE-2018-2755: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Server: Replication). Supported versions that are
affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
Difficult to exploit vulnerability allows unauthenticated attacker
with logon to the infrastructure where MySQL Server executes to
compromise MySQL Server. Successful attacks require human interaction
from a person other than the attacker and while the vulnerability is
in MySQL Server, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in takeover of
MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and
Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
- CVE-2018-2781: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Server: Optimizer). Supported versions that are
affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
- CVE-2018-2819: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: InnoDB). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily
exploitable vulnerability allows low privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to
cause a hang or frequently repeatable crash (complete DOS) of MySQL
Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
- CVE-2018-2818: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Server : Security : Privileges). Supported
versions that are affected are 5.5.59 and prior, 5.6.39 and prior and
5.7.21 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score
4.9 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
- CVE-2018-2817: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Server: DDL). Supported versions that are
affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
- CVE-2018-2771: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Server: Locking). Supported versions that are
affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
Difficult to exploit vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
- CVE-2018-2813: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Server: DDL). Supported versions that are
affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
read access to a subset of MySQL Server accessible data. CVSS 3.0 Base
Score 4.3 (Confidentiality impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2773: Vulnerability in the MySQL Server component of Oracle
MySQL (subcomponent: Client programs). Supported versions that are
affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
Difficult to exploit vulnerability allows high privileged attacker
with logon to the infrastructure where MySQL Server executes to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score
4.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11-SP4:
zypper in -t patch sdksp4-mysql-13611=1
- SUSE Linux Enterprise Server 11-SP4:
zypper in -t patch slessp4-mysql-13611=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-mysql-13611=1
Package List:
- SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64):
libmysql55client_r18-32bit-5.5.60-0.39.12.1
- SUSE Linux Enterprise Software Development Kit 11-SP4 (ia64):
libmysql55client_r18-x86-5.5.60-0.39.12.1
- SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
libmysql55client18-5.5.60-0.39.12.1
libmysql55client_r18-5.5.60-0.39.12.1
mysql-5.5.60-0.39.12.1
mysql-client-5.5.60-0.39.12.1
mysql-tools-5.5.60-0.39.12.1
- SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64):
libmysql55client18-32bit-5.5.60-0.39.12.1
libmysql55client_r18-32bit-5.5.60-0.39.12.1
- SUSE Linux Enterprise Server 11-SP4 (ia64):
libmysql55client18-x86-5.5.60-0.39.12.1
libmysql55client_r18-x86-5.5.60-0.39.12.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
mysql-debuginfo-5.5.60-0.39.12.1
mysql-debugsource-5.5.60-0.39.12.1
References:
https://www.suse.com/security/cve/CVE-2018-2755.html
https://www.suse.com/security/cve/CVE-2018-2761.html
https://www.suse.com/security/cve/CVE-2018-2771.html
https://www.suse.com/security/cve/CVE-2018-2773.html
https://www.suse.com/security/cve/CVE-2018-2781.html
https://www.suse.com/security/cve/CVE-2018-2813.html
https://www.suse.com/security/cve/CVE-2018-2817.html
https://www.suse.com/security/cve/CVE-2018-2818.html
https://www.suse.com/security/cve/CVE-2018-2819.html
https://bugzilla.suse.com/1089987
More information about the sle-security-updates
mailing list