Kaspersky LabKLA10749KLA10749 Multiple vulnerabilities in MariaDB
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
8.2 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
71.1%
Multiple serious vulnerabilities have been found in MariaDB. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity, bypass security restrictions or execute arbitrary code.
Below is a complete list of vulnerabilities
- Improper server hostname verification can be exploited remotely via specially designed certificate to bypass security restrictions;
- Multiple unknown vulnerabilities can be exploited remotely to affect integrity, availability and confidentiality.
Technical details
Vulnerability (1) caused by sl_verify_server_cert function in sql-common/client.c which does not properly verify server hostname and domain name match in subject’s Common Name (CN) or subjectAltName field of the X.509 certificate. This vulnerability can be exploited via “/CN=” string in a field in a certificate.
Original advisories
Related products
CVE list
CVE-2016-0609 warning
CVE-2016-0616 warning
CVE-2016-0606 warning
CVE-2016-0608 warning
CVE-2016-0546 high
CVE-2016-0596 warning
CVE-2016-0600 warning
CVE-2016-0597 warning
CVE-2016-0598 warning
CVE-2016-0505 high
CVE-2016-2047 warning
Solution
Update to the latest version
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- LoI
Loss of integrity. Exploitation of vulnerabilities with this impact can lead to partial system fault or system components connection disruption.
Affected Products
- MariaDB versions earlier than 5.5.47MariaDB 10.0 versions earlier than 10.0.23MariaDB 10.1 versions earlier than 10.1.10
Related
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
8.2 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
71.1%