Bug 1702980 (CVE-2019-2632) - CVE-2019-2632 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Apr 2019)
Summary: CVE-2019-2632 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Ap...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-2632
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1703000
TreeView+ depends on / blocked
 
Reported: 2019-04-25 09:20 UTC by Tomas Hoger
Modified: 2021-02-16 22:01 UTC (History)
21 users (show)

Fixed In Version: mysql 5.7.26, mysql 8.0.16
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-06 13:18:14 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2019-04-25 09:20:17 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.7.25 and prior and  8.0.15 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Comment 1 Tomas Hoger 2019-04-25 09:36:43 UTC
Even though Oracle Apr 2019 CPU was released more than a week ago, suggesting users to upgrade to MySQL 5.7.26 or 8.0.16, those versions have not been released yet.  Therefore, there are also no actionable details available about this flaw at this time.

Comment 2 Tomas Hoger 2019-05-06 13:18:14 UTC
Looking at the release notes for MySQL 5.7.26 and 8.0.16, there is the following issue listed:

The authentication_ldap_simple plugin could enforce authentication incorrectly. (Bug #29637712)

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-16.html

However, the authentication_ldap_simple plugin is a feature only available in the MySQL Enterprise Edition as note in its documentation:

https://dev.mysql.com/doc/refman/8.0/en/ldap-pluggable-authentication.html

The plugin is not available in the Community Edition, which is included in Red Hat products.

There does not seem to be any other change that could be related to this CVE mentioned in the release notes or found in the code changes between 5.7.25 and 5.7.26.


Note You need to log in before you can comment on or make changes to this bug.