Security Bulletin
Summary
PowerKVM is affected by vulnerabilities in Oracle MySQL Server (mariadb). IBM has now addressed these vulnerabilities.
Vulnerability Details
CVEID: CVE-2016-3492
DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118106 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-5612
DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118102 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-5616
DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: MyISAM component has high confidentiality impact, high integrity impact, and high availability impact.
CVSS Base Score: 7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118099 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-5624
DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: DML component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118103 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-5626
DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: GIS component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118104 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-5629
DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: Federated component could allow a remote attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118109 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-6663
DESCRIPTION: MySQL could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition error while setting stats during MyISAM table repair. An attacker could exploit this vulnerability to change permissions of arbitrary files.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119079 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2016-8283
DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: Types component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118122 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-6662
DESCRIPTION: MySQL Server could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper restrictions to logging functions. By executing a specially crafted series of SQL statements, an attacker could exploit this vulnerability to create or modify my.conf configuration files which could execute arbitrary code with root privilege when the server is restarted. Note: Derivative works of MySQL, such as MariaDB and PerconaDB are also vulnerable.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116817 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
PowerKVM 3.1
Remediation/Fixes
Customers can update PowerKVM systems by using "yum update".
Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed as of 3.1.0.2 update 5 or later.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
24 Jan 2017 - Initial Version
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1024823