| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Jan 2017 06:34:55 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: bugtraq@...urityfocus.com
Subject: Novel Contributions to the field - How I broke MySQL's code-base
(Part 2) [CVE-2016-5541] MySQL cluster remote 0day
************************************************************************************
*
*
* Copyright (c) 2017, Advanced Information Security Corp / Oracle Inc. *
*
*
*
*
************************************************************************************
ABSTRACT
===========
This industry-led research was conducted by Advanced Information
Security co-jointly with Oracle Corporation. The CVE assigned for the
MySQL Cluster issues is CVE-2016-5541. This security research
concluded to multiple zero-day vulnerabilities affecting the 'MySQL
Protocol' protocol. Feasibility of exploitation is remote &
unauthenticated.
The vulnerability can be exploited over the 'MySQL Protocol' protocol.
The 'Cluster: NDBAPI' sub component can be exploited.
VERSIONS AFFECTED
====================
Oracle MySQL Cluster 7.4.12
Oracle MySQL Cluster 7.4.5
Oracle MySQL Cluster 7.3.14
Oracle MySQL Cluster 7.3.8
Oracle MySQL Cluster 7.2.26
Oracle MySQL Cluster 7.2.25
Oracle MySQL Cluster 7.2.19
A full report can be obtained from
https://www.docdroid.net/o2uVeg4/cve-2016-5541.pdf.html
(References)
[1] Oracle Critical Patch Update - January 2017. 2017. Oracle
Critical Patch Update - January 2017. [ONLINE] Available at:
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
Powered by blists - more mailing lists