MariaDB Server 10.2.x < 10.2.3 Multiple DoS

medium Nessus Network Monitor Plugin ID 9916

Synopsis

The remote database server is affected by multiple Denial of Service (DoS) attack vectors.

Description

The version of MariaDB installed on the remote host is 10.2.x prior to 10.2.3, and is affected by multiple DoS vulnerabilities :

- An flaw exists in the 'wsrep_replicate_myisam' functionality that is triggered when dropping 'myisam' tables. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'trx_state_eq()' function that is triggered during the handling of state errors. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'lock_rec_queue_validate()' function in 'lock/lock0lock.cc' that is triggered during the handling of lock requests. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'date_add_interval()' function in 'sql/sql_time.cc' that is triggered during the handling of INTERVAL arguments. This may allow an authenticated attacker to crash the database.
- A flaw exists in 'sql/item_subselect.cc' that is triggered during the handling of queries from the select/unit tree. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item::check_well_formed_result()' function in 'sql/item.cc' that is triggered during the handling of row validation. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'lex_one_token()' function in 'sql/sql_lex.cc' that is triggered during the handling of a specially crafted query. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'check_contains()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of a specially crafted array. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'QUICK_RANGE_SELECT::init_ror_merged_scan()' function in 'sql/opt_range.cc' that is triggered during the handling of a specially crafted table column. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item_func_json_extract::val_str()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of scalar values. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'mark_object()' and 'mark_array()' functions in 'strings/json_lib.c' that is triggered during the handling of 'JSON_VALID' selections. That may allow an authenticated attacker to crash the database.
- A flaw exists in the 'handle_match()' function in 'strings/json_lib.c' that is triggered during the handling of JSON arrays. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item_func_json_array::fix_length_and_dec()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of NULL arguments. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item_json_typecast::fix_length_and_dec()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of JSON casting. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'parse_one_or_all()' function in 'sql/item_jsonfunc.cc' that is triggered when handling input passed via the 'one_or_all' parameter. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item_func_json_extract::val_str()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of 'value_length'. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item_func_json_extract::val_int()' function in 'sql/item_jsonfunc.cc' that is triggered during the handling of NULL paths. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'mysql_rm_table_no_locks()' function in 'sql/sql_table.cc' that is triggered when dropping temporary tables. This may allow an authenticated attacker to crash the database. This issue was introduced in commit 7305be2f7e724e5e62961606794beab199d79045 on 2016-06-10.
- A flaw exists in the 'check_view_single_update()' function in 'sql/sql_insert.cc' that is triggered when inserting specially crafted tables. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'lock_reset_lock_and_trx_wait()' function in 'storage/innobase/lock/lock0lock.cc' that is triggered when handling values (e.g. NULL) in 'wait_lock'. This may allow an authenticated attacker to crash the database.
- A flaw exists in the 'Item_cache::safe_charset_converter()' function in 'sql/item.cc' that is triggered during the handling of a specially crafted subselect query item. This may allow an authenticated attacker to crash the database.

NOTE: Depending on the database's implementation, it varies if these vulnerabilities require authenticated access (e.g. daily DBA duties) or may be exploited by a remote attacker (e.g. interfaced via a web application).

Solution

Upgrade to version 10.2.3 or later.

See Also

https://mariadb.com/kb/en/mariadb-1022-changelog

Plugin Details

Severity: Medium

ID: 9916

Family: Database

Published: 1/26/2017

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mariadb:mariadb

Patch Publication Date: 12/24/2016

Vulnerability Publication Date: 10/5/2015