|
MySQL Denial of Service Vulnerability and Multiple Security Issues
|
|
Secunia Advisory:
|
SA25301
|
|
|
Release Date:
|
2007-05-17
|
|
Last Update:
|
2007-07-19
|
|
Popularity:
|
10,993 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
Privilege escalation
DoS
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | MySQL 4.x
MySQL 5.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2007-2691
CVE-2007-2692
CVE-2007-2693
CVE-2007-3780
CVE-2007-3781
CVE-2007-3782
|
|
Description:
Various security issues and a vulnerability have been reported in MySQL, which can be exploited by malicious users to gain escalated privileges, bypass certain security restrictions and cause a DoS (Denial of Service) or malicious people to cause a DoS.
1) The problem is that it is possible for a user to rename a table without having DROP privileges.
The security issue has been reported in version 4.1 and 5.0.
2) The problem is that stored routines defined with SQL SECURITY INVOKER do not change back privileges when returning and can be invoked by users to gain escalated privileges.
The security issue has been reported in version 5.0.40.
3) An unspecified vulnerability within the handling of password packets in the connection protocol can be exploited to crash the server.
4) The mysql_update() and mysql_test_update() functions do not correctly check the privileges of views. This can be exploited to gain certain privileges for tables of other databases.
The security issue is reported in version 5.0.38 and 5.1.
5) The "CREATE TABLE LIKE" command did not correctly check the privileges for the source table and does not correctly implement table locking. This can be exploited to bypass certain security restrictions or potentially crash the service.
The security issue is reported in versions 5.0 and 5.1.
Solution:
Update to MySQL Enterprise version 4.1.23 and 5.0.44 and MySQL Community Server 5.0.45.
Provided and/or discovered by:
Reported via a bug report by:
1) Victoria Reznichenko
2) Alexander Nozdrin
3) Dormando
4) Phil Anderton
5) Andrei Elkin and maybe an unknown person
Changelog:
2007-07-17: Added vulnerabilities 3, 4 and 5. Updated "Solution" section.
2007-07-19: Added CVE reference.
Original Advisory:
MySQL:
1) http://bugs.mysql.com/bug.php?id=27515
2) http://bugs.mysql.com/bug.php?id=27337
3) http://bugs.mysql.com/bug.php?id=28984
4) http://bugs.mysql.com/bug.php?id=27878
5) http://bugs.mysql.com/bug.php?id=23667
http://bugs.mysql.com/bug.php?id=25578
http://lists.mysql.com/announce/470
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
