IBMA26161DB572BE5EB279CC6448FB8E8890CFD0ECB1BFECC76B89DC399F4485F86Security Bulletin: Multiple security vulnerabilities have been identified in Oracle MySQL, which is a supported topology database of IBM Tivoli Network Manager IP Edition.
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
0.005 Low
EPSS
Percentile
76.5%
Summary
Oracle MySQL version 5.6.x is a supported topology database of IBM Tivoli Network Manager IP Edition 3.9 Fix Pack 4 and Fix Pack 5. Information about security vulnerabilities affecting Oracle MySQL has been published here.
Vulnerability Details
CVE-ID: CVE-2019-2534 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: Replication component could allow an authenticated attacker to cause high confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 7.1
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155844 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)
CVE-ID: CVE-2019-2529 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155839 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-2482 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: PS component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155798 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-2455 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: Parser component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155771 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-2503 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: Connection Handling component could allow an authenticated attacker to cause high confidentiality impact, no integrity impact, and high availability impact.
CVSS Base Score: 6.4
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155817 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H)
CVE-ID: CVE-2019-2537 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: DDL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155847 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-2481 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155797 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-2531 Description: An unspecified vulnerability in Oracle MySQL related to the Server Server: Replication component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155841 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
ITNM 3.9.0.4 and ITNM 3.9.0.5 deployments which use Oracle MySQL v5.6 as their topology database server.
Remediation/Fixes
Product
| VMRF |Remediation/First Fix
—|—|—
IBM Tivoli Network Manager IP Edition |3.9.0.4 and 3.9.0.5 | Upgrade Oracle MySQL v5.6 servers as advised in Oracle’s Critical Patch Update for January 2019.
Workarounds and Mitigations
None.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| tivoli network manager ip edition | eq | 3.9 | |
| tivoli network manager ip edition | eq | 4 | |
| tivoli network manager ip edition | eq | 5 |
Related
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
0.005 Low
EPSS
Percentile
76.5%