ESB-2018.0370 - [Linux] IBM Security Guardium: Multiple vulnerabilities 2018-02-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0370
     Security Bulletin: IBM Security Guardium multiple vulnerabilities
                              7 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Guardium
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1368 CVE-2017-10388 CVE-2017-10384
                   CVE-2017-10379 CVE-2017-10378 CVE-2017-10365
                   CVE-2017-10357 CVE-2017-10356 CVE-2017-10355
                   CVE-2017-10350 CVE-2017-10349 CVE-2017-10348
                   CVE-2017-10347 CVE-2017-10346 CVE-2017-10345
                   CVE-2017-10320 CVE-2017-10314 CVE-2017-10313
                   CVE-2017-10311 CVE-2017-10309 CVE-2017-10296
                   CVE-2017-10295 CVE-2017-10294 CVE-2017-10293
                   CVE-2017-10286 CVE-2017-10285 CVE-2017-10284
                   CVE-2017-10283 CVE-2017-10281 CVE-2017-10279
                   CVE-2017-10276 CVE-2017-10274 CVE-2017-10268
                   CVE-2017-10227 CVE-2017-10167 CVE-2017-10165
                   CVE-2017-10155 CVE-2016-10165 CVE-2016-9843
                   CVE-2016-9842 CVE-2016-9841 CVE-2016-9840

Reference:         ASB-2017.0219
                   ASB-2017.0173
                   ESB-2017.0985
                   ESB-2017.0805
                   ESB-2017.0492

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22008892
   http://www.ibm.com/support/docview.wss?uid=swg22013302
   http://www.ibm.com/support/docview.wss?uid=swg22012410

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Security Guardium Database Activity Monitor is affected
by Insufficient Authorization Checks vulnerability (CVE-2018-1368)


Document information

More support for: IBM Security Guardium

Software version: 9.0, 9.1, 9.5

Operating system(s): Linux

Reference #: 2013302

Modified date: 06 February 2018


Summary

IBM Security Guardium Database Activity Monitor has addressed the following
vulnerability

Vulnerability Details

CVEID: CVE-2018-1368

DESCRIPTION: IBM Security Guardium Database Activity Monitor could allow a
local user with low privileges to view report pages and perform some actions
that only an admin should be performing, so there is risk that someone not
authorized can change things that they are not suppose to.

CVSS Base Score: 5.1

CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/137765 for the current
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

IBM Security Guardium V9.0, 9.1, 9.5


Remediation/Fixes

+--------------------+-----------+------------------------------------+
|Product             |VRMF       |Remediation/First Fix               |
+--------------------+-----------+------------------------------------+
|IBM Security        |9.0-9.5    |SqlGuard-9.0p758_Bundle_Jan-31-2018 |
|Guardium            |           |                                    |
|Database Activity   |           |                                    |
|Monitor             |           |                                    |
+--------------------+-----------+------------------------------------+


Workarounds and Mitigations

None


Change History

02/06/18: Original Version Published


*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.


Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security
Guardium


Document information

More support for: IBM Security Guardium

Software version: 9.0, 9.1, 9.5

Operating system(s): Linux

Reference #: 2008892

Modified date: 06 February 2018


Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version
6 used by IBM Security Guardium. These issues were disclosed as part of the IBM
Java SDK updates in October 2017. IBM Security Guardium has addressed these
vulnerabilities


Vulnerability Details


CVEID: CVE-2017-10345

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded, JRockit Serialization component could allow an
    unauthenticated attacker to cause a denial of service resulting in a low
    availability impact using unknown attack vectors.

    CVSS Base Score: 3.1

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133774 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10295

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded, JRockit Networking component could allow an
    unauthenticated attacker to cause no confidentiality impact, low integrity
    impact, and no availability impact.

    CVSS Base Score: 4

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133729 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N)


CVEID: CVE-2017-10281

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded, JRockit Serialization component could allow an
    unauthenticated attacker to cause a denial of service resulting in a low
    availability impact using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133720 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10350

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded JAX-WS component could allow an unauthenticated
    attacker to cause a denial of service resulting in a low availability impact
    using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133779 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10347

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, JRockit Serialization component could allow an unauthenticated
    attacker to cause a denial of service resulting in a low availability impact
    using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133776 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10349

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded JAXP component could allow an unauthenticated
    attacker to cause a denial of service resulting in a low availability impact
    using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133778 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10348

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded Libraries component could allow an unauthenticated
    attacker to cause a denial of service resulting in a low availability impact
    using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133777 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10357

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded Serialization component could allow an
    unauthenticated attacker to cause a denial of service resulting in a low
    availability impact using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133786 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10355

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded, JRockit Networking component could allow an
    unauthenticated attacker to cause a denial of service resulting in a low
    availability impact using unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133784 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


CVEID: CVE-2016-9841

    DESCRIPTION: zlib is vulnerable to a denial of service, caused by an
    out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to
    open a specially crafted document, a remote attacker could exploit this
    vulnerability to cause a denial of service.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/120509 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2017-10293

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE Javadoc component could allow an unauthenticated attacker to cause
    low confidentiality impact, low integrity impact, and no availability
    impact.

    CVSS Base Score: 6.1

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133727 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)


CVEID: CVE-2017-10356

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded, JRockit Security component could allow an
    unauthenticated attacker to obtain sensitive information resulting in a high
    confidentiality impact using unknown attack vectors.

    CVSS Base Score: 6.2

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133785 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


CVEID: CVE-2017-10274

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE Smart Card IO component could allow an unauthenticated attacker to
    cause high confidentiality impact, high integrity impact, and no
    availability impact.

    CVSS Base Score: 6.8

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133714 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)


CVEID: CVE-2017-10309

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE Deployment component could allow an unauthenticated attacker to
    cause low confidentiality impact, low integrity impact, and low availability
    impact.

    CVSS Base Score: 7.1

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133738 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)


CVEID: CVE-2017-10388

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded Libraries component could allow an unauthenticated
    attacker to take control of the system.

    CVSS Base Score: 7.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133813 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


CVEID: CVE-2017-10285

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded RMI component could allow an unauthenticated
    attacker to take control of the system.

    CVSS Base Score: 9.6

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133723 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)


CVEID: CVE-2017-10346

    DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
    Java SE, Java SE Embedded Hotspot component could allow an unauthenticated
    attacker to take control of the system.

    CVSS Base Score: 9.6

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133775 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)


CVEID: CVE-2016-9843

    DESCRIPTION: zlib is vulnerable to a denial of service, caused by a
    big-endian out-of-bounds pointer. By persuading a victim to open a specially
    crafted document, a remote attacker could exploit this vulnerability to
    cause a denial of service.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/120511 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2016-9842

    DESCRIPTION: zlib is vulnerable to a denial of service, caused by an
    undefined left shift of negative number. By persuading a victim to open a
    specially crafted document, a remote attacker could exploit this
    vulnerability to cause a denial of service.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/120510 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2016-9840

    DESCRIPTION: zlib is vulnerable to a denial of service, caused by an
    out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to
    open a specially crafted document, a remote attacker could exploit this
    vulnerability to cause a denial of service.

    CVSS Base Score: 3.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/120508 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)


CVEID: CVE-2016-10165

    DESCRIPTION: Little CMS is vulnerable to a denial of service, caused by an
    out-of-bounds read in Type_MLU_Read function in cmstypes.c. By using a
    specially-crafted image, a remote attacker could exploit this vulnerability
    to cause the application to crash or obtain sensitive information.

    CVSS Base Score: 6.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/127028 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)


Affected Products and Versions

IBM Security Guardium V9, 9.1, 9.5


Remediation/Fixes

+--------------------+-----------+------------------------------------+
|Product             |VRMF       |Remediation/First Fix               |
+--------------------+-----------+------------------------------------+
|IBM Security        |9.0-9.5    |SqlGuard-9.0p758_Bundle_Jan-31-2018 |
|Guardium            |           |                                    |
+--------------------+-----------+------------------------------------+


Workarounds and Mitigations

None


Change History

02/06/18: Original Version Published


*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the Reference
section of this Security Bulletin.
Disclaimer


According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------


Security Bulletin: IBM Security Guardium is affected by Open Source Oracle MySQL
Server Vulnerabilities


Document information

More support for: IBM Security Guardium

Software version: 9.0, 9.1, 9.5

Operating system(s): Linux

Reference #: 2012410

Modified date: 06 February 2018


Summary

IBM Security Guardium has addressed the following vulnerabilities.


Vulnerability Details


CVEID: CVE-2017-10384

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: DDL component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 6.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133809 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10379

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server Client programs component could allow an authenticated attacker to
    obtain sensitive information resulting in a high confidentiality impact
    using unknown attack vectors.

    CVSS Base Score: 6.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133804 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)


CVEID: CVE-2017-10378

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Optimizer component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 6.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133803 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10365

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: InnoDB component could allow an authenticated attacker to cause no
    confidentiality impact, low integrity impact, and low availability impact.

    CVSS Base Score: 3.8

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133794 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L)


CVEID: CVE-2017-10320

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: InnoDB component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133749 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10314

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Memcached component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133743 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10313

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server Group Replication GCS component could allow an authenticated attacker
    to cause a denial of service resulting in a high availability impact using
    unknown attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133742 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10311

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: FTS component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133740 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10296

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: DML component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133730 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10294

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Optimizer component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133728 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10286

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: InnoDB component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.4

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133724 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10284

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Stored Procedure component could allow an authenticated attacker to
    cause a denial of service resulting in a high availability impact using
    unknown attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133722 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10283

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Performance Schema component could allow an authenticated attacker
    to cause a denial of service resulting in a high availability impact using
    unknown attack vectors.

    CVSS Base Score: 5.3

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133721 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10279

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Optimizer component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133718 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10276

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: FTS component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 6.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133716 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10268

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Replication component could allow an authenticated attacker to
    obtain sensitive information resulting in a high confidentiality impact
    using unknown attack vectors.

    CVSS Base Score: 4.1

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133711 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)


CVEID: CVE-2017-10227

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Optimizer component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133704 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10167

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Optimizer component could allow an authenticated attacker to cause a
    denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 6.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133699 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10165

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Replication component could allow an authenticated attacker to cause
    a denial of service resulting in a high availability impact using unknown
    attack vectors.

    CVSS Base Score: 4.9

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133697 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)


CVEID: CVE-2017-10155

    DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the
    Server: Pluggable Auth component could allow an unauthenticated attacker to
    cause a denial of service resulting in a high availability impact using
    unknown attack vectors.

    CVSS Base Score: 7.5

    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/133690 for the current
    score

    CVSS Environmental Score*: Undefined

    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


Affected Products and Versions

IBM Security Guardium V9.0, 9.1, 9.5


Remediation/Fixes

+--------------------+-----------+------------------------------------+
|Product             |VRMF       |Remediation/First Fix               |
+--------------------+-----------+------------------------------------+
|IBM Security        |9.0-9.5    |SqlGuard-9.0p758_Bundle_Jan-31-2018 |
|Guardium            |           |                                    |
+--------------------+-----------+------------------------------------+


Workarounds and Mitigations

None


Change History

02/06/18: Original Version Published


*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this
vulnerability in their environments by accessing the links in the Reference
section of this Security Bulletin.
Disclaimer


According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWnp1jIx+lLeg9Ub1AQhx2RAApvYse/tf5MVpLqhvTISYXz+EC0q4ckTv
Z7lK9RQpRYLEjYldnFc3A80yi6BYl63pH+0vEGQxc82hxZnuYvmkL7GHp8+ySEac
ZCBhCgJQdXKAi5R1FxXCjtZIuKraLRAllNhoHKspjqa3uvOC0lLSNALzogPq0F8M
k5d9h5V74jAytpBpJ+k38dWpfKD/6cZe1sehtd0yOOg6NXC7MSji1kw/iRREb85C
rpBdhYciDzWz2w2+junS78oaI5WUz6YSwj0XSYSY+iY2Kl9sgw3lfx/ib89yWWjh
nLgElYzZw7SOugIdrljAk+XaXv7AZTFTZJcPByeftF1ao3I7DPUHpZHogHMShgS+
VQJAnFlrYm7B1jYlIHJx8XIyPJS6eYUSfwuIAtse72EjQH87s7gHazhpTk6jczxf
v5V3JiQGBJnyXucpx8+0LdMjbdo4EO++RBnQTbqvqc84hPxt9ruCF0TbH9688wNa
C3L3rCByJRgOKNZbTACLPnxKbGXM44CAtnjMBK0tjn8FIiqX+WmqJ3HduhbnGR3q
I2PtW4dIGo7Y6pjuGzb8Jf+Bm/7WCR3GeGwlRLsZpbk8nUSRjTeg7iMMP4iq8c+s
A1StWS5QyFNGASa36fkzweghuWnb2tJLaiahMmLkBjJOcHM3Q0Q4DYs8dmzc/iee
O7KRqz9MhnQ=
=By7J
-----END PGP SIGNATURE-----

« Back to bulletins