CVE-2017-3653
CVSS3.5
发布时间 :2017-08-08 11:29:08
修订时间 :2017-12-08 21:29:09
NMPS    

[原文]Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N).


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 3.5 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-284 [访问控制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:oracle:mysql:5.5.56
cpe:/a:oracle:mysql:5.6.36
cpe:/a:oracle:mysql:5.7.18

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3653
(官方数据源) NVD

- 其它链接及资源

http://www.debian.org/security/2017/dsa-3922
(UNKNOWN)  DEBIAN  DSA-3922
http://www.debian.org/security/2017/dsa-3944
(UNKNOWN)  DEBIAN  DSA-3944
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
(VENDOR_ADVISORY)  CONFIRM  http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.securityfocus.com/bid/99810
(VENDOR_ADVISORY)  BID  99810
http://www.securitytracker.com/id/1038928
(VENDOR_ADVISORY)  SECTRACK  1038928
https://access.redhat.com/errata/RHSA-2017:2787
(UNKNOWN)  REDHAT  RHSA-2017:2787
https://access.redhat.com/errata/RHSA-2017:2886
(UNKNOWN)  REDHAT  RHSA-2017:2886
https://www.debian.org/security/2017/dsa-3955
(UNKNOWN)  DEBIAN  DSA-3955

- 漏洞信息 (F143412)

Ubuntu Security Notice USN-3357-1 (PacketStormID:F143412)
2017-07-20 00:00:00
Ubuntu  security.ubuntu.com
advisory
linux,ubuntu
CVE-2017-3529,CVE-2017-3633,CVE-2017-3634,CVE-2017-3635,CVE-2017-3636,CVE-2017-3637,CVE-2017-3638,CVE-2017-3639,CVE-2017-3640,CVE-2017-3641,CVE-2017-3642,CVE-2017-3643,CVE-2017-3644,CVE-2017-3645,CVE-2017-3647,CVE-2017-3648,CVE-2017-3649,CVE-2017-3650,CVE-2017-3651,CVE-2017-3652,CVE-2017-3653
[点击下载]

Ubuntu Security Notice 3357-1 - Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.57 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS and Ubuntu 17.04 have been updated to MySQL 5.7.19. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-3357-1
July 20, 2017

mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in MySQL.

Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database

Details:

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.57 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS
and Ubuntu 17.04 have been updated to MySQL 5.7.19.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-56.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  mysql-server-5.7                5.7.19-0ubuntu0.17.04.1

Ubuntu 16.04 LTS:
  mysql-server-5.7                5.7.19-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  mysql-server-5.5                5.5.57-0ubuntu0.14.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3357-1
  CVE-2017-3529, CVE-2017-3633, CVE-2017-3634, CVE-2017-3635,
  CVE-2017-3636, CVE-2017-3637, CVE-2017-3638, CVE-2017-3639,
  CVE-2017-3640, CVE-2017-3641, CVE-2017-3642, CVE-2017-3643,
  CVE-2017-3644, CVE-2017-3645, CVE-2017-3647, CVE-2017-3648,
  CVE-2017-3649, CVE-2017-3650, CVE-2017-3651, CVE-2017-3652,
  CVE-2017-3653

Package Information:
  https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.19-0ubuntu0.17.04.1
  https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.19-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.57-0ubuntu0.14.04.1


    

- 漏洞信息 (F143458)

Ubuntu Security Notice USN-3357-2 (PacketStormID:F143458)
2017-07-24 00:00:00
Ubuntu  security.ubuntu.com
advisory,vulnerability
linux,ubuntu
CVE-2017-3302,CVE-2017-3305,CVE-2017-3308,CVE-2017-3309,CVE-2017-3329,CVE-2017-3453,CVE-2017-3456,CVE-2017-3461,CVE-2017-3462,CVE-2017-3463,CVE-2017-3464,CVE-2017-3600,CVE-2017-3635,CVE-2017-3636,CVE-2017-3641,CVE-2017-3648,CVE-2017-3651,CVE-2017-3652,CVE-2017-3653
[点击下载]

Ubuntu Security Notice 3357-2 - USN-3357-1 fixed several vulnerabilities in MySQL. This update provides the corresponding update for Ubuntu 12.04 ESM. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.57 in Ubuntu 12.04 ESM. Various other issues were also addressed.

===========================================================================
Ubuntu Security Notice USN-3357-2
July 24, 2017

mysql-5.5 vulnerabilities
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in MySQL.

Software Description:
- mysql-5.5: MySQL database

Details:

USN-3357-1 fixed several vulnerabilities in MySQL. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Multiple security issues were discovered in MySQL and this update
includes new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.57 in Ubuntu 12.04 ESM.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
 mysql-server-5.55.5.57-0ubuntu0.12.04.1

In general, a standard system update will make all the necessary
changes.

References:
 https://www.ubuntu.com/usn/usn-3357-2
 https://www.ubuntu.com/usn/usn-3357-1
 CVE-2017-3302, CVE-2017-3305, CVE-2017-3308, CVE-2017-3309,
 CVE-2017-3329, CVE-2017-3453, CVE-2017-3456, CVE-2017-3461,
 CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3600,
 CVE-2017-3635, CVE-2017-3636, CVE-2017-3641, CVE-2017-3648,
 CVE-2017-3651, CVE-2017-3652, CVE-2017-3653

    

- 漏洞信息 (F144089)

Slackware Security Advisory - mariadb Updates (PacketStormID:F144089)
2017-09-12 00:00:00
Slackware Security Team  slackware.com
advisory
linux,slackware
CVE-2017-3636,CVE-2017-3641,CVE-2017-3653
[点击下载]

Slackware Security Advisory - New mariadb packages are available for Slackware 14.1 and 14.2 to fix security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  mariadb (SSA:2017-251-02)

New mariadb packages are available for Slackware 14.1 and 14.2 to
fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mariadb-10.0.32-i586-1_slack14.2.txz:  Upgraded.
  This update fixes bugs and security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3636
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.57-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.57-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mariadb-10.0.32-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mariadb-10.0.32-x86_64-1_slack14.2.txz


MD5 signatures:
+-------------+

Slackware 14.1 package:
e18d20ce245d96764c1385e7cd48e9d5  mariadb-5.5.57-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
270fbdbb08f125c2056ee3fddc3ae9f9  mariadb-5.5.57-x86_64-1_slack14.1.txz

Slackware 14.2 package:
9152299e6b3eede1f4fe2c357b8b43c6  mariadb-10.0.32-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
b39204d2de2aacba8cc3923b0f748d98  mariadb-10.0.32-x86_64-1_slack14.2.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg mariadb-10.0.32-i586-1_slack14.2.txz

Then, restart the database server:
# sh /etc/rc.d/rc.mysqld restart


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlmy3AAACgkQakRjwEAQIjP7hwCeKg7Hk6NazPr9oFAv+x249L3A
xikAoIf+FXywJb5kBI5uCl0UkStX+kSt
=PUOz
-----END PGP SIGNATURE-----
    

- 漏洞信息

Oracle MySQL Server CVE-2017-3653 Remote Security Vulnerability
Unknown 99810
Yes No
2017-07-18 12:00:00 2017-07-18 12:00:00
Zuozhi Fan formerly of Alibaba

- 受影响的程序版本

Oracle MySQL Server 5.7.18
Oracle MySQL Server 5.7.17
Oracle MySQL Server 5.7.16
Oracle MySQL Server 5.7.15
Oracle MySQL Server 5.7.12
Oracle MySQL Server 5.7
Oracle MySQL Server 5.6.36
Oracle MySQL Server 5.6.35
Oracle MySQL Server 5.6.34
Oracle MySQL Server 5.6.33
Oracle MySQL Server 5.6.30
Oracle MySQL Server 5.6.29
Oracle MySQL Server 5.6.28
Oracle MySQL Server 5.6.27
Oracle MySQL Server 5.6.26
Oracle MySQL Server 5.6.23
Oracle MySQL Server 5.6.22
Oracle MySQL Server 5.6.21
Oracle MySQL Server 5.5.56
Oracle MySQL Server 5.5.55
Oracle MySQL Server 5.5.54
Oracle MySQL Server 5.5.53
Oracle MySQL Server 5.5.52
Oracle MySQL Server 5.5.48
Oracle MySQL Server 5.5.47
Oracle MySQL Server 5.5.46
Oracle MySQL Server 5.5.45
Oracle MySQL Server 5.5.42
Oracle MySQL Server 5.5.41
Oracle MySQL Server 5.5.40
Oracle MySQL Server 5.6.25
Oracle MySQL Server 5.6.24
Oracle MySQL Server 5.6.20
Oracle MySQL Server 5.6.16
Oracle MySQL Server 5.6.15
Oracle MySQL Server 5.5.44
Oracle MySQL Server 5.5.43
Oracle MySQL Server 5.5.36
Oracle MySQL Server 5.5.35

- 漏洞讨论

Oracle MySQL Server is prone to a remote security vulnerability in MySQL Server.

The vulnerability can be exploited over the 'MySQL' protocol. The 'Server: DDL' sub component is affected.

This vulnerability affects the following supported versions:
5.7.18 and prior
5.5.56 and prior
5.6.36 and prior

- 漏洞利用

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站