This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.MYSQL_8_4_1.NASLOracle MySQL Server 8.x < 8.4.1 (July 2024 CPU)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
The versions of MySQL Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2024 CPU advisory.
-
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2024-21177)
-
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2024-21171)
-
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. (CVE-2024-21163)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(202619);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/19");
script_cve_id(
"CVE-2024-20996",
"CVE-2024-21125",
"CVE-2024-21127",
"CVE-2024-21129",
"CVE-2024-21130",
"CVE-2024-21134",
"CVE-2024-21142",
"CVE-2024-21162",
"CVE-2024-21163",
"CVE-2024-21171",
"CVE-2024-21173",
"CVE-2024-21176",
"CVE-2024-21177",
"CVE-2024-21179"
);
script_name(english:"Oracle MySQL Server 8.x < 8.4.1 (July 2024 CPU)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
script_set_attribute(attribute:"description", value:
"The versions of MySQL Server installed on the remote host are affected by multiple vulnerabilities as referenced in the
July 2024 CPU advisory.
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that
are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)
of MySQL Server. (CVE-2024-21177)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions
that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. (CVE-2024-21171)
- Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions
that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server
accessible data. (CVE-2024-21163)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2024.html");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2024 Oracle Critical Patch Update advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21163");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/18");
script_set_attribute(attribute:"patch_publication_date", value:"2024/07/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Databases");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("mysql_version.nasl", "mysql_login.nasl");
script_require_ports("Services/mysql", 3306);
exit(0);
}
include('mysql_version.inc');
mysql_check_version(fixed:'8.4.1', min:'8.1', severity:SECURITY_WARNING);
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20996
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21127
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21142
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21162
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21163
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21171
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21173
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21176
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21179
www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json
www.oracle.com/security-alerts/cpujul2024.html
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High