[ALAS-2017-831] Amazon Linux AMI 2014.03 - ALAS-2017-831: medium priority package update for mysql55

Severity Medium

Affected Packages 20

CVEs 10

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3464:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1443379:
CVE-2017-3464 mysql: Server: DDL unspecified vulnerability (CPU Apr 2017)

CVE-2017-3463:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443378:
CVE-2017-3463 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)

CVE-2017-3462:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443377:
CVE-2017-3462 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)

CVE-2017-3461:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443376:
CVE-2017-3461 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)

CVE-2017-3456:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443369:
CVE-2017-3456 mysql: Server: DML unspecified vulnerability (CPU Apr 2017)

CVE-2017-3453:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1443365:
CVE-2017-3453 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)

CVE-2017-3450:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1443363:
CVE-2017-3450 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2017)

CVE-2017-3309:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
1443359:
CVE-2017-3309 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)

CVE-2017-3308:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
1443358:
CVE-2017-3308 mysql: Server: DML unspecified vulnerability (CPU Apr 2017)

CVE-2017-3265:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and Availability impacts).
1414423:
CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017)

Package	Affected Version
pkg:rpm/amazonlinux/mysql55?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-test?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-test?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-server?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-server?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-libs?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-libs?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-embedded?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-embedded?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-embedded-devel?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-embedded-devel?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-devel?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-devel?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-debuginfo?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-debuginfo?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-bench?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql55-bench?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql-config?arch=x86_64&distro=amazonlinux-1	< 5.5.56-1.17.amzn1
pkg:rpm/amazonlinux/mysql-config?arch=i686&distro=amazonlinux-1	< 5.5.56-1.17.amzn1

ID

ALAS-2017-831

Severity

medium

URL

https://alas.aws.amazon.com/ALAS-2017-831.html

Published

2017-05-19T00:27:00
(7 years ago)

Modified

2017-05-19T03:44:00
(7 years ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2017-3265	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265
CVE	CVE-2017-3308	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3308
CVE	CVE-2017-3309	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3309
CVE	CVE-2017-3450	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3450
CVE	CVE-2017-3453	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3453
CVE	CVE-2017-3456	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3456
CVE	CVE-2017-3461	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3461
CVE	CVE-2017-3462	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3462
CVE	CVE-2017-3463	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3463
CVE	CVE-2017-3464	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3464

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/mysql55?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-test?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-test	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-test?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-test	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-server?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-server	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-server?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-server	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-libs?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-libs	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-libs?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-libs	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-embedded?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-embedded	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-embedded?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-embedded	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-embedded-devel?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-embedded-devel	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-embedded-devel?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-embedded-devel	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-devel?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-devel	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-devel?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-devel	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-debuginfo?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-debuginfo	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-debuginfo?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-debuginfo	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql55-bench?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql55-bench	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql55-bench?arch=i686&distro=amazonlinux-1	amazonlinux	mysql55-bench	< 5.5.56-1.17.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/mysql-config?arch=x86_64&distro=amazonlinux-1	amazonlinux	mysql-config	< 5.5.56-1.17.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/mysql-config?arch=i686&distro=amazonlinux-1	amazonlinux	mysql-config	< 5.5.56-1.17.amzn1	amazonlinux-1	i686

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date