Bug 1534139 (CVE-2018-2703)
Summary: | CVE-2018-2703 mysql: sha256_password authentication DoS via hash with large rounds value | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, chrisw, databases-maint, dciabrin, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, security-response-team, slinaber, srevivo, tdecacqu |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mysql 5.6.39, mysql 5.7.21 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-26 11:30:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1533831, 1533832, 1533833, 1533834, 1535520 | ||
Bug Blocks: | 1509486, 1535524 |
Description
Tomas Hoger
2018-01-13 13:19:32 UTC
Acknowledgments: Name: Red Hat Product Security This issue was fixed in MySQL 5.6.39 and 5.7.21: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-39.html https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html Incompatible Change: Passwords are now restricted to a maximum of 256 characters for the sha256_password authentication plugin, and for the PASSWORD() function when old_passwords=2. Also, the number of password hashing rounds is capped to limit CPU time used. (Bug #27099029, Bug #27194270) Upstream commit: https://github.com/mysql/mysql-server/commit/efb4087cfe12134e1541b39ee9a4305f7cd225f5 This is now also public via Oracle CPU January 2018: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0587 https://access.redhat.com/errata/RHSA-2018:0587 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0586 https://access.redhat.com/errata/RHSA-2018:0586 |