Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0176 Multiple vulnerabilities in Oracle MySQL Products 21 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle MySQL Cluster Oracle MySQL Enterprise Monitor Oracle MySQL Server Oracle MySQL Workbench Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-14893 CVE-2020-14891 CVE-2020-14888 CVE-2020-14878 CVE-2020-14873 CVE-2020-14870 CVE-2020-14869 CVE-2020-14868 CVE-2020-14867 CVE-2020-14866 CVE-2020-14861 CVE-2020-14860 CVE-2020-14853 CVE-2020-14852 CVE-2020-14848 CVE-2020-14846 CVE-2020-14845 CVE-2020-14844 CVE-2020-14839 CVE-2020-14838 CVE-2020-14837 CVE-2020-14836 CVE-2020-14830 CVE-2020-14829 CVE-2020-14828 CVE-2020-14827 CVE-2020-14821 CVE-2020-14814 CVE-2020-14812 CVE-2020-14809 CVE-2020-14804 CVE-2020-14800 CVE-2020-14799 CVE-2020-14794 CVE-2020-14793 CVE-2020-14791 CVE-2020-14790 CVE-2020-14789 CVE-2020-14786 CVE-2020-14785 CVE-2020-14777 CVE-2020-14776 CVE-2020-14775 CVE-2020-14773 CVE-2020-14771 CVE-2020-14769 CVE-2020-14765 CVE-2020-14760 CVE-2020-14672 CVE-2020-13935 CVE-2020-8174 CVE-2020-1967 CVE-2020-1730 Member content until: Friday, November 20 2020 Reference: ASB-2020.0170 ASB-2020.0132 ASB-2020.0104 ESB-2020.3485 ESB-2020.3148 OVERVIEW Multiple vulnerabilities have been identified in : o MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior o MySQL Enterprise Monitor, versions 8.0.21 and prior o MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior o MySQL Workbench, versions 8.0.21 and prior [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 53 new security patches plus additional third party patches noted below for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2020-8174 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. Affects: o MySQL Cluster 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior CVE-2020-14878 8.0 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-13935 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor. Affects: o MySQL Enterprise Monitor 8.0.21 and prior CVE-2020-1967 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows unauthenticated attacker with network access via MySQL Workbench to compromise MySQL Workbench. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Workbench. Affects: o MySQL Workbench 8.0.21 and prior CVE-2020-14828 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14775 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.31 and prior, 8.0.21 and prior CVE-2020-14765 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior CVE-2020-14769 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior CVE-2020-14830 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14836 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14846 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14800 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14827 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. Affects: o MySQL Server 5.7.31 and prior, 8.0.21 and prior CVE-2020-14760 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. Affects: o MySQL Server 5.7.31 and prior CVE-2020-1730 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Easily exploitable vulnerability allows unauthenticated attacker with network access via MySQL Workbench to compromise MySQL Workbench. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Workbench. Affects: o MySQL Workbench 8.0.21 and prior CVE-2020-14776 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.31 and prior, 8.0.21 and prior CVE-2020-14821 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14829 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14848 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14852 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14814 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14789 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.31 and prior, 8.0.21 and prior CVE-2020-14804 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14812 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior CVE-2020-14773 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14777 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14785 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14793 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior CVE-2020-14794 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14809 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14837 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14839 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14845 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14861 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14866 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14868 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14888 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14891 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14893 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14786 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14790 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.31 and prior, 8.0.21 and prior CVE-2020-14844 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14799 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.20 and prior CVE-2020-14869 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.31 and prior, 8.0.21 and prior CVE-2020-14672 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior CVE-2020-14870 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14853 4.6 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. Affects: o MySQL Cluster 8.0.21 and prior CVE-2020-14867 4.4 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior CVE-2020-14873 4.4 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14838 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14860 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14791 2.2 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. Affects: o MySQL Server 8.0.21 and prior CVE-2020-14771 2.2 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. Affects: o MySQL Server 5.7.31 and prior, 8.0.21 and prior MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2020 https://www.oracle.com/security-alerts/cpuoct2020.html [2] Text Form of Oracle Critical Patch Update - October 2020 Risk Matrices https://www.oracle.com/security-alerts/cpuoct2020verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX4/aiuNLKJtyKPYoAQihgQ/+M5ghiTOGxKdc22mU5EBKSIfDsDhFXD5T UrOBoFhaZzTpae+9/sFZzB/a3fjhDUQ+xFc/bqNQP3nX9T0PCayAtFur12XtL1bz 8dQ1NgY7Fn5ntckKTkkfjdPn8iWo5x+D7mx3LbLNf443AWCYvSfeGkOmMsKfsZCb AfBqLyHLApgUfFTK0lyUgOX2N+7PDPJWLvAzGhQGdls8JiwWbsTzSEy8vU+ZdGQ/ Wg20DoQqG92a2lDFMJXCGSpsB+xb1kia5C2HnXk7N0C3I1yiQ/GZT2al6PdnoX5f 1VhB3NgpKCWXvw0G0zbbUqz5QyiApytCqpsLcuCDNnboout2sojAyADrZC4GZfcJ YsnE6eDloarYzwc0fYDuj7fGNAeZAtFp8uF6t7x9Is39RD4+/K+a6vQcDqd0Cpqs F+B+I4SlqR5apRp8m05daSIufZD62ef4x1r7XP236dIkOpnauPPGn3aP06RKn9Vx GveWyqQdKLy5EFtZCW9KdGDDYOuYPXIZjcqvh1sE/e7lqfeLsmiOJsZsdj9Bhjgf gTqGsHnehNUf5l3jYRxqbpYYN7d+4dlO/LdI/o5LSfuiWL37IAYlHmqNDtFD7WoV Aj3QM/5Wwowh8nEoE8PygGqW0GXpYdwFJ3MxuoRrYRniQUA45n8HjMJz/Mh/DbFL fXuqFffqIlQ= =Esk9 -----END PGP SIGNATURE-----