Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.7592 K000137940 : Multiple Oracle MySQL vulnerabilities 19 December 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle MySQL Publisher: F5 Networks Operating System: Network Appliance Resolution: None CVE Names: CVE-2023-22028 CVE-2023-22026 CVE-2023-22015 Original Bulletin: https://my.f5.com/manage/s/article/K000137940 Comment: CVSS (Max): None CVSS Source: F5 - --------------------------BEGIN INCLUDED TEXT-------------------- K000137940: Multiple Oracle MySQL vulnerabilities Published Date: Dec 18, 2023 Security Advisory Description o CVE-2023-22015 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.42 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). o CVE-2023-22026 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.42 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). o CVE-2023-22028 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.43 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable. Note: F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. Security Advisory Recommended Actions None Related Content o K41942608: Overview of MyF5 security advisory articles o K12201527: Overview of Quarterly Security Notifications o K51812227: Understanding security advisory versioning o K4602: Overview of the F5 security vulnerability response policy o K39757430: F5 product and services lifecycle policy index o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZYDa5skNZI30y1K9AQjcXBAAjoJQql7O1AqNK0dFKw/UG1Oq0y8/lTvB Ch6qA0uZSQZnaogrX93KcLnHhdF/o2VxCcp0bWtYqf4r2ezvECQWC4fNDIR6I8Rz FlMqJtQyWqX7JREyRLUokKBu44F9mikrlmD71G9/jZ/IWOFcQSg9i/P0UXIybGZ1 jJC3Hw3azGuko6JgYctA7RaGXyfY2D4VyTePXp0QLEBjk17diIaXBQyWoeETiFyj rPbXwiafkM6EunGc455TEISz6jhozvlpNCucB1krVBg1t86lx4zzb8s7TiE2Qtzi 5SQydgzTWyeKUvj4dta6lbA08xnKr1x3attNvv67aZGQAxpYLzW0mLEuUMu422qw kZZtW5AjCosOLugzQcMCObjZYgpGISHIZvlxgVwNaIWrRk9DfM5PaTmlDIKYyjbd psFII/K9Rig4GmU02B2XIv657GUkRKZlPkOzEYGHZ1V0HtQcgbKECE3pW8Sb2ol9 LUOdOc13runlizhVfSooCAG/6vuBHoEhYfoPq1c0PTgmrCViGVJrDztDN29jt3RR sMKE94n1XQrGYIAlJUXismzTomLF1Pq8uaa8khCp2IiG87e6p1/hxlUt7BJqhwTE Gbour0Utx0S3PEZmjuDLKvuee3ItjHOarCZB5mmbgggG07cWvgNF5XLFFVh2lRPn 31kR+7TM4Z4= =6zkb -----END PGP SIGNATURE-----