Bug 1922384 (CVE-2021-2011) - CVE-2021-2011 mysql: C API unspecified vulnerability (CPU Jan 2021)
Summary: CVE-2021-2011 mysql: C API unspecified vulnerability (CPU Jan 2021)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-2011
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1610986 1922446 1922447 1922456 1928189 1928190 1996705 2003104
Blocks: 1922432
TreeView+ depends on / blocked
 
Reported: 2021-01-29 16:47 UTC by msiddiqu
Modified: 2021-10-12 14:13 UTC (History)
19 users (show)

Fixed In Version: mysql 5.7.33, mysql 8.0.23, mariadb-connector-c 3.0.5, mariadb 5.5.61, mariadb 10.2.15, mariadb 10.1.33, mariadb 10.0.35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-12 16:09:42 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3590 0 None None None 2021-09-21 08:44:43 UTC
Red Hat Product Errata RHSA-2021:3811 0 None None None 2021-10-12 14:13:46 UTC

Description msiddiqu 2021-01-29 16:47:06 UTC
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client.

External References:

https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL

Comment 1 msiddiqu 2021-01-29 19:20:47 UTC
Created mysql:5.7/community-mysql tracking bugs for this issue:

Affects: fedora-32 [bug 1922456]

Comment 2 msiddiqu 2021-01-29 19:30:40 UTC
Created mysql:8.0/community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1922447]

Comment 3 Tomas Hoger 2021-02-12 11:45:37 UTC
MariaDB upstream indicates that they corrected this issue in MariaDB versions 5.5.61, 10.0.35, 10.1.33, and 10.2.15, as well as MariaDB Connector/C version 3.0.5.  Therefore:

* The mariadb:10.3 module in Red Hat Enterprise Linux 8 was never affected by this issue.

* The mariadb-connector-c packages in Red Hat Enterprise Linux 8 were never affected, as the first version included in the product was 3.0.7.

* The mariadb packages in Red Hat Enterprise Linux 7 were updated to the fixed upstream version via this erratum:
https://access.redhat.com/errata/RHSA-2019:2327

* The rh-mariadb103-mariadb packages in Red Hat Software Collections were never affected by this issue.

Comment 5 Product Security DevOps Team 2021-02-12 16:09:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-2011

Comment 6 errata-xmlrpc 2021-09-21 08:44:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3590 https://access.redhat.com/errata/RHSA-2021:3590

Comment 7 errata-xmlrpc 2021-10-12 14:13:43 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3811 https://access.redhat.com/errata/RHSA-2021:3811


Note You need to log in before you can comment on or make changes to this bug.