Bug 882608 (CVE-2012-5615)

Summary: CVE-2012-5615 mysql: Remote Preauth User Enumeration flaw
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: byte, hhorak, jlieskov, jrusnack, jwalter, patrick.d.mayo, redhat, roomojee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20121201,reported=20121202,source=internet,cvss2=3.5/AV:N/AC:M/Au:S/C:P/I:N/A:N,rhel-5/mysql55-mysql=affected,rhel-6/mysql=new,rhel-7/mariadb=affected,rhscl-1/mysql55-mysql=affected,rhscl-1/mariadb55-mariadb=affected,openstack-5/mariadb-galera=affected,openstack-rdo/mariadb-galera=affected,fedora-all/community-mysql=affected,fedora-all/mariadb=affected,cwe=CWE-209
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-11 23:48:14 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1162374, 1162375    
Bug Blocks: 882596, 1165433    

Description Huzaifa S. Sidhpurwala 2012-12-02 02:12:17 EST
A flaw was found in Mysql in which if an attacker authenticates using an incorrect password with the old authentication mechanism from mysql 4.x and below to a mysql 5.x server the mysql server will respond with a different message than Access Denied, what makes User Account Enumeration possible.


Reference:
http://seclists.org/fulldisclosure/2012/Dec/9

This issue was assigned CVE-2012-5615.
Comment 3 Huzaifa S. Sidhpurwala 2013-01-22 01:28:32 EST
This issue has not been addressed by the recent January 2013 CPU containing mysql security fixes.

http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

Deferring this flaw till upstream fixes it.

Statement:

(none)
Comment 4 Huzaifa S. Sidhpurwala 2013-01-22 01:28:47 EST
This issue affects the version of mysql as shipped with Fedora-17 and Fedora-18.
Comment 5 Tomas Hoger 2013-01-25 07:53:49 EST
MariaDB fix:

http://bazaar.launchpad.net/~maria-captains/maria/5.2/revision/3202
Comment 6 Huzaifa S. Sidhpurwala 2014-11-17 23:47:35 EST
As per the following link: 

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Upstream claims that this issue is fixed in the Oct 2014 CPU of mysql-5.5

Also mariadb at:

https://mariadb.com/kb/en/mariadb/development/release-notes/mariadb-5539-release-notes/
Comment 7 Huzaifa S. Sidhpurwala 2014-11-17 23:50:42 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1859 https://rhn.redhat.com/errata/RHSA-2014-1859.html
Comment 8 Huzaifa S. Sidhpurwala 2014-11-17 23:50:56 EST
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS

Via RHSA-2014:1862 https://rhn.redhat.com/errata/RHSA-2014-1862.html
Comment 9 Huzaifa S. Sidhpurwala 2014-11-17 23:51:08 EST
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS

Via RHSA-2014:1860 https://rhn.redhat.com/errata/RHSA-2014-1860.html
Comment 10 Huzaifa S. Sidhpurwala 2014-11-17 23:51:37 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1861 https://rhn.redhat.com/errata/RHSA-2014-1861.html
Comment 11 errata-xmlrpc 2014-12-02 11:49:05 EST
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1937 https://rhn.redhat.com/errata/RHSA-2014-1937.html
Comment 12 errata-xmlrpc 2014-12-02 12:01:01 EST
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1940 https://rhn.redhat.com/errata/RHSA-2014-1940.html
Comment 13 Fedora Update System 2014-12-02 20:02:04 EST
mariadb-galera-5.5.40-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.