Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0055
IBM Security Guardium is affected by a publicly disclosed
vulnerability from Oracle MySQL
4 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Guardium
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Modify Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-3286 CVE-2018-3285 CVE-2018-3284
CVE-2018-3283 CVE-2018-3282 CVE-2018-3279
CVE-2018-3278 CVE-2018-3277 CVE-2018-3276
CVE-2018-3258 CVE-2018-3251 CVE-2018-3247
CVE-2018-3212 CVE-2018-3203 CVE-2018-3200
CVE-2018-3195 CVE-2018-3187 CVE-2018-3186
CVE-2018-3185 CVE-2018-3174 CVE-2018-3173
CVE-2018-3171 CVE-2018-3170 CVE-2018-3162
CVE-2018-3161 CVE-2018-3156 CVE-2018-3155
CVE-2018-3145 CVE-2018-3144 CVE-2018-3143
CVE-2018-3137 CVE-2018-3133
Reference: ASB-2018.0258
ESB-2018.3954
ESB-2018.3327
ESB-2018.3257.2
Original Bulletin:
https://www.ibm.com/support/docview.wss?uid=ibm10793777
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Security Guardium is affected by a publicly disclosed
vulnerability from Oracle MySQL
Security Bulletin
Document information
Software version: 10 - 10.5
Operating system(s): Linux
Reference #: 0793777
Modified date: 03 January 2019
Summary
IBM Security Guardium has addressed the following vulnerabilities.
Vulnerability Details
CVEID: CVE-2018-3283
DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Logging component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151596
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-3162
DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151479
for the current score
CVSS Environmental Score*: Undefined
CVE-ID: CVE-2018-3279
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Security: Roles component could allow an authenticated attacker to
cause a denial of service resulting in a high availability impact using unknown
attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151592
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3258
Description: An unspecified vulnerability in Oracle MySQL related to the
Connectors Connector/J component could allow an authenticated attacker to take
control of the system.
CVSS Base Score: 8.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151572
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-ID: CVE-2018-3137
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Optimizer component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151453
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3156
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151472
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3277
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151590
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3212
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Information Schema component could allow an authenticated attacker to
cause a denial of service resulting in a high availability impact using unknown
attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151528
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3278
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: RBR component could allow an authenticated attacker to cause a denial
of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151591
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3276
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Memcached component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151589
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3133
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Parser component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151449
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3155
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Parser component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 7.7
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151471
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
CVE-ID: CVE-2018-3251
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151565
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3174
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Client programs component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151491
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H)
CVE-ID: CVE-2018-3195
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: DDL component could allow an authenticated attacker to cause no
confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151512
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)
CVE-ID: CVE-2018-3173
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151490
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3170
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: DDL component could allow an authenticated attacker to cause a denial
of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151487
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3171
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Partition component could allow an authenticated attacker to cause no
confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.0
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151488
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H)
CVE-ID: CVE-2018-3247
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Merge component could allow an authenticated attacker to cause no
confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151561
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)
CVE-ID: CVE-2018-3203
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Optimizer component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151519
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3145
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Parser component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151461
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3200
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151516
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3286
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Security: Privileges component could allow an authenticated attacker to
cause no confidentiality impact, low integrity impact, and no availability
impact.
CVSS Base Score: 4.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151599
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVE-ID: CVE-2018-3143
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151459
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3187
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Optimizer component could allow an authenticated attacker to cause no
confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151504
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)
CVE-ID: CVE-2018-3144
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Security: Audit component could allow an unauthenticated attacker to
cause a denial of service resulting in a high availability impact using unknown
attack vectors.
CVSS Base Score: 5.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151460
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3284
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause a denial of
service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.4
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151597
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3185
Description: An unspecified vulnerability in Oracle MySQL related to the Server
InnoDB component could allow an authenticated attacker to cause no
confidentiality impact, low integrity impact, and high availability impact.
CVSS Base Score: 5.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151502
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)
CVE-ID: CVE-2018-3285
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Windows component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151598
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3186
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Optimizer component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151503
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3161
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Partition component could allow an authenticated attacker to cause a
denial of service resulting in a high availability impact using unknown attack
vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151478
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2018-3282
Description: An unspecified vulnerability in Oracle MySQL related to the Server
Server: Storage Engines component could allow an authenticated attacker to
cause a denial of service resulting in a high availability impact using unknown
attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/151595
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
+--------------------------------------------------------------+
| Affected IBM Security Guardium |Affected Versions|
|--------------------------------------------+-----------------|
|IBM Security Guardium |10 - 10.5 |
+--------------------------------------------------------------+
Remediation/Fixes
+--------------------------------------------------------------------------+
| Product | VRMF | Remediation / First Fix |
|---------------------+---------------+------------------------------------|
| | |http://www.ibm.com/support/ |
| | |fixcentral/swg/quickorder?parent= |
| | |IBM%20Security&product=ibm/ |
|IBM Security Guardium|10-10.5 |Information+Management/ |
| | |InfoSphere+Guardium&release=10.0& |
| | |platform=All&function=fixId&fixids= |
| | |SqlGuard_10.0p520_Bundle_Dec-06-2018|
| | |&includeSupersedes=0&source=fc |
+--------------------------------------------------------------------------+
Workarounds and Mitigations
None
Change History
Jan 3, 2019: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXC7KnGaOgq3Tt24GAQiaCA//T22LQ8QGk8D74g/QpCJIWjBVipGTqdNp
NEBC0cKC+yQufbhNjP9stU/zRPVIMirifXlYjH4eOPO0Fq5euyz3IDgye55z5AVP
fZ4vgOzBQMx2leSs/FaV+PNXkqjNIOOONFIYv9ufV03CcorLRSGVAuTBELFFMkhK
jZBt83YCuiWm4tWYuF8GwnZdzDxneAi3iu+W3Dh/Kti6msuwRdm3bB+6g/T/QDsQ
4pmSrBruhhdztRBdkei/VFPbmjP28WxkLpFGDwJmZEJLpnaCyTHNk/L/v5UOIkDy
5rMigp3bANXQ7xb2buesGoKjelkWVfYJ/znAYSUYy2O+MBqmOD5XEsSvLX/8fNt7
hxfNZMkz3jLMwjAWc+cW0NfNHnUTLxH3JPEfxTiSQyBUZQjRLjE8qCeRx0izFJN1
DdikM/eSDYQbmWBtPN6lUQcvht8pVNI2r6wba5lNrADZjajIJ9K39ydORXoQTYgO
9Tb6ePeW7gRA3otj0hlVh2QUOGpF7eLI2H1tyPrlHTLBgp7ZJx67JUql59zKfWiR
TLRY6HEw/x9I9tJXZYK6u4r/0b0/2ItedeNWzfYii65qaf538qIIEliFMX2holJr
1bE7Sqy/yoexKigWFGpq62z58qDZivCiZp3ewvX8PwWzD1LQBtIAupHmh0rjmbBq
vhE0/ZsrIOc=
=/xWL
-----END PGP SIGNATURE-----