Bug 1443386 (CVE-2017-3599) - CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
Summary: CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-3599
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170419,repo...
Depends On: 1443407 1445524 1445525 1445527 1445528
Blocks: 1443389
TreeView+ depends on / blocked
 
Reported: 2017-04-19 07:33 UTC by Adam Mariš
Modified: 2019-06-08 21:56 UTC (History)
27 users (show)

Fixed In Version: mysql 5.6.36, mysql 5.7.18
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw leading to a buffer overflow was found in the way MySQL parsed connection handshake packets. An unauthenticated remote attacker with access to the MySQL port could use this flaw to crash the mysqld daemon.
Clone Of:
Environment:
Last Closed: 2017-10-12 09:05:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2787 normal SHIPPED_LIVE Important: rh-mysql56-mysql security and bug fix update 2017-09-21 11:42:12 UTC
Red Hat Product Errata RHSA-2017:2886 normal SHIPPED_LIVE Important: rh-mysql57-mysql security and bug fix update 2017-10-12 11:53:15 UTC

Description Adam Mariš 2017-04-19 07:33:15 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. 

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

Comment 1 Adam Mariš 2017-04-19 08:16:28 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1443407]

Comment 2 Tomas Hoger 2017-04-23 12:11:03 UTC
It seems this CVE may be related to this commit:

https://github.com/mysql/mysql-server/commit/f4165eae6384141905dd39d22c7611ea85de08f4

It addresses an integer underflow issue, that may lead to buffer overflow (probably limited to over-read).  As it's in the code that parses authentication message sent during the connection handshake, it would be a pre-authentication remote DoS.

Comment 3 Tomas Hoger 2017-04-24 06:31:34 UTC
Blog post from the original issue reporter confirms information in comment 2:

https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/

Comment 6 Tomas Hoger 2017-04-24 09:02:58 UTC
This issue is partially mitigated by the automatic restart of mysqld after the crash.  It's traditionally achieved by the use of mysqld_safe wrapper script, but is more recently handled by systemd (e.g. as is the case for rh-mysql57 collection for Red Hat Software Collections for Red Hat Enterprise Linux 7).

Comment 8 errata-xmlrpc 2017-09-21 07:49:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787

Comment 9 errata-xmlrpc 2017-10-12 08:03:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886


Note You need to log in before you can comment on or make changes to this bug.