Bug 1443386 (CVE-2017-3599)
| Summary: | CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, gmollett, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, slinaber, srevivo, tdecacqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mysql 5.6.36, mysql 5.7.18 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An integer overflow flaw leading to a buffer overflow was found in the way MySQL parsed connection handshake packets. An unauthenticated remote attacker with access to the MySQL port could use this flaw to crash the mysqld daemon.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-10-12 09:05:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1443407, 1445524, 1445525, 1445527, 1445528 | ||
| Bug Blocks: | 1443389 | ||
|
Description
Adam Mariš
2017-04-19 07:33:15 UTC
Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1443407] It seems this CVE may be related to this commit: https://github.com/mysql/mysql-server/commit/f4165eae6384141905dd39d22c7611ea85de08f4 It addresses an integer underflow issue, that may lead to buffer overflow (probably limited to over-read). As it's in the code that parses authentication message sent during the connection handshake, it would be a pre-authentication remote DoS. Blog post from the original issue reporter confirms information in comment 2: https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/ External References: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/ This issue is partially mitigated by the automatic restart of mysqld after the crash. It's traditionally achieved by the use of mysqld_safe wrapper script, but is more recently handled by systemd (e.g. as is the case for rh-mysql57 collection for Red Hat Software Collections for Red Hat Enterprise Linux 7). This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886 |