Bug 1702980 (CVE-2019-2632)

Summary: CVE-2019-2632 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Apr 2019)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: databases-maint, dbecker, dciabrin, hhorak, jjanco, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, mbayer, mburns, mkocka, mmuzila, mschorm, praiskup, sclewis, slinaber, SpikeFedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql 5.7.26, mysql 8.0.16 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-06 13:18:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1703000    

Description Tomas Hoger 2019-04-25 09:20:17 UTC 
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.7.25 and prior and  8.0.15 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Comment 1 Tomas Hoger 2019-04-25 09:36:43 UTC 
Even though Oracle Apr 2019 CPU was released more than a week ago, suggesting users to upgrade to MySQL 5.7.26 or 8.0.16, those versions have not been released yet.  Therefore, there are also no actionable details available about this flaw at this time.
Comment 2 Tomas Hoger 2019-05-06 13:18:14 UTC 
Looking at the release notes for MySQL 5.7.26 and 8.0.16, there is the following issue listed:

The authentication_ldap_simple plugin could enforce authentication incorrectly. (Bug #29637712)

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-16.html

However, the authentication_ldap_simple plugin is a feature only available in the MySQL Enterprise Edition as note in its documentation:

https://dev.mysql.com/doc/refman/8.0/en/ldap-pluggable-authentication.html

The plugin is not available in the Community Edition, which is included in Red Hat products.

There does not seem to be any other change that could be related to this CVE mentioned in the release notes or found in the code changes between 5.7.25 and 5.7.26.