Bug 1865957 (CVE-2020-14591)

Summary:	CVE-2020-14591 mysql: Server: Audit Plug-in unspecified vulnerability (CPU Jul 2020)
Product:	[Other] Security Response	Reporter:	msiddiqu
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	damien.ciabrini, databases-maint, dbecker, dciabrin, hhorak, jjanco, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, ljavorsk, lpeer, mbayer, mburns, mkocka, mmuzila, mschorm, sclewis, slinaber, SpikeFedora
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	mysql 8.0.21	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-08-08 19:54:22 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1865985

Description msiddiqu 2020-08-04 15:17:42 UTC

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

External References:

https://www.oracle.com/security-alerts/cpujul2020.html#AppendixMSQL

Comment 1 Tomas Hoger 2020-08-08 19:54:22 UTC

MySQL Enterprise Audit plugin is a feature of MySQL Enterprise Edition:

https://dev.mysql.com/doc/refman/8.0/en/audit-log.html
https://www.mysql.com/products/enterprise/audit.html

This flaw can not affect MySQL packages included in Red Hat products that are based on MySQL Community Edition that does not include audit_log plugin.