Bug 1443363 (CVE-2017-3450)
Summary: | CVE-2017-3450 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2017) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, gmollett, hhorak, jjoyce, jorton, jschluet, jshepherd, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, slinaber, srevivo, tdecacqu |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mysql 5.6.36, mysql 5.7.18 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-12 09:10:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1443407, 1445524, 1445525, 1445527, 1445528 | ||
Bug Blocks: | 1443389 |
Description
Adam Mariš
2017-04-19 07:19:54 UTC
Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1443407] The only recent change to the innodb_memcached plugin is: https://github.com/mysql/mysql-server/commit/659514dc83299a7d8c7defeb543be4339fbe1ee1 Also mentioned in the release notes: InnoDB: A memcached read operation with a non-default read batch size configuration resulted in a server exit. (Bug #25147515) https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html While Oracle CPU lists this as unauthenticated attack, attacker requires read access to the mysqld's memcached port. MySQL documentation explicitly notes that only trusted users should be granted such access. https://dev.mysql.com/doc/refman/5.7/en/innodb-memcached-security.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886 |