Security

MySQL Updates for Ubuntu Resolve Server Data Manipulation and DoS Vulnerabilities

Fifteen medium priority vulnerabilities have been found in the Server and Client components of Oracle MySQL platform. The vulnerabilities have been allotted the CVE labels CVE-2018-2767, CVE-2018-3054, CVE-2018-3056, CVE-2018-3058, CVE-2018-3060, CVE-2018-3061, CVE-2018-3062, CVE-2018-3063, CVE-2018-3064, CVE-2018-3065, CVE-2018-3066, CVE-2018-3070, CVE-2018-3071, CVE-2018-3077, CVE-2018-3081. Exploitation of these vulnerabilities requires that the attacker obtain network access via multiple protocols to compromise the MySQL server.

CVE-2018-2767 (CVSS 3.0 Base Score 3.1) impacts the Server:Security:Encryption subcomponent affecting versions upto 5.5.60, 5.6.40, and 5.7.22. If the vulnerability is exploited, it can allow unauthorized read access to the attacker.

CVE-2018-3054 (CVSS 3.0 Base Score 4.9) impacts the Server:DDL subcomponent. It affects all versions upto 5.7.22 and 8.0.11. This vulnerability is easily exploitable, and it allows an attacker to be able to repeatedly crash the system with a DoS.

CVE-2018-3056 (CVSS 3.0 Base Score 4.3) impacts the Server:Security:Privileges subcomponent. It affects all versions upto 5.7.22 and 8.0.11. The vulnerability has been ruled as easily exploitable, giving the attacker unauthorized read access to a subset of MySQL Server readable data.

CVE-2018-2058 (CVSS 3.0 Base Score 4.3) impacts the MyISAM subcomponent. It affects versions upto 5.5.60, 5.6.40, and 5.7.22. The vulnerability is assessed to be easily exploitable, granting an attacker unauthorized update, insert, or delete access to MySQL server data.

CVE-2018-3060 (CVSS 3.0 Base Score 6.5) impacts the ImoDB subcomponent. It affects versions upto 5.7.22 and 8.0.11. It is easily exploitable and a successful exploit allows an attacker to create, delete, or modify critical Server data as well as repeatedly crash the system with a complete DoS.

CVE-2018-3061 (CVSS 3.0 Base Score 4.9) impacts the DML subcomponent. It affects versions upto 5.7.22. The vulnerability Is easily exploitable and allows for a repeated DoS crash.

CVE-2018-3062 (CVSS 3.0 Base Score 5.3) impacts the Memcached subcomponent. It affects versions upto 5.6.40, 5.7.22, and 8.0.11. The vulnerability is difficult to exploit but a successful attack can allow a frequently repeatable DoS crash of the server.

CVE-2018-3063 (CVSS 3.0 Base Score 4.9)  impacts the Server:Security:Priveleges subcomponent. It affects versions upto 5.5.60. It is easily exploitable and allows for a complete DoS frequently repeatable crash.

CVE-2018-3064 (CVSS 3.0 Base Score 7.1) impacts the InnoDB subcomponent. It affects versions upto 5.6.40, 5.7.22, and 8.0.11. It is easily exploitable and allows a low privileged attacker to update, insert, or delete server data and cause a DoS crash repeatedly.

CVE-2018-3065 (CVSS 3.0 Base Score 6.5) impacts the DML subcomponent. It affects versions upto 5.7.22 and 8.0.11. Exploit allows repeated DoS crash.

CVE-2018-3066 (CVSS 3.0 Base Score 3.3) impacts the Server:Options subcomponent. It affects versions upto 5.5.60, 5.6.40m and 5.7.22. The difficult to exploit vulnerability allows read, update, insert, or delete access to server data.

CVE-2018-3070 (CVSS 3.0 Base Score 6.5) impacts the Client mysqldump subcomponent. It affects versions upto 5.5.60, 5.6.40, and 5.7.22. Exploit allows for repeatable DoS crash.

CVE-2018-3071 (CVSS 3.0 Base Score 4.9) impacts the Audit Log subcomponent. It affects versions upto 5.7.22. Exploiting this vulnerability allows an attacker to cause repeatable DoS crash.

CVE-2018-3077 (CVSS 3.0 Base Score 4.9) impacts the Server:DDL subcomponent. It affects versions upto 5.7.22 and 8.0.11. Exploit allows repeatable DoS crash.

CVE-2018-3081 (CVSS 3.0 Base Score 5.0) impacts the Client programs subcomponent of the MySQL Client component. It affects versions upto 5.5.60, 5.6.40, 5.7.22, and 8.0.11. The vulnerability is difficult to exploit but if exploited allows for update, insert, or delete access to MySQL Client accessible data as well as the ability to cause repeatable DoS crash.

As per the advisories (1 / 2) posted on the Ubuntu website, to resolve the threats posed by these vulnerabilities, package updates have been released for the respective Ubuntu versions. The update mysql-server-5.75.7.2.3-0ubuntu0.18.04.1 is for Ubuntu 18.04 LTS and mysql-server-5.75.7.2.3-0ubuntu0.16.04.1 is for Ubuntu 16.04 LTS. The update for Ubuntu 14.04 LTS and Ubuntu 12.04 ESM is mysql-server-5.55.5.61-0ubuntu0.14.04.1 and mysql-server-5.5 – 5.5.61-0ubuntu0.12.04.1. These updates are available on the website for download and install directly.

You can also open the Update Manager for desktop and check the pending updates under the settings tab. Clicking on the updates and proceeding to install will apply the patches. On an update-notifier-common package for a server, you can check for updates with the following: “sudo apt-get update” and “sudo apt-get dist-upgrade”. Allowing permissions to proceed with the updates lets them install directly.


Close