Oracle has released a Critical Security Patch for a long list of Oracle products. For MySQL specifically, the patch purports to resolve a multitude of vulnerabilities that allow remote execution without authentication, and impact nearly all versions of the database software.
Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details.
I've included a copy of that Matrix for readers to review below.
As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for the recent Shellshock bash vulnerability). 24 of the patches are for MySQL.
Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details.
I've included a copy of that Matrix for readers to review below.
As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for the recent Shellshock bash vulnerability). 24 of the patches are for MySQL.
I highly advise anyone using MySQL or any Oracle product, including Java, to update their software immediately.
Oracle MySQL Risk Matrix
CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authen- tication | Confiden- tiality | Integrity | Avail- ability | |||||||
CVE-2014-6507 | MySQL Server | MySQL Protocol | SERVER:DML | No | 8.0 | Network | Low | Single | Partial+ | Partial+ | Complete | 5.5.39 and eariler, 5.6.20 and earlier | |
CVE-2014-6491 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 7.5 | Network | Low | None | Partial+ | Partial+ | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
CVE-2014-6500 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 7.5 | Network | Low | None | Partial+ | Partial+ | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
CVE-2014-6469 | MySQL Server | MySQL Protocol | SERVER:OPTIMIZER | No | 6.8 | Network | Low | Single | None | None | Complete | 5.5.39 and eariler, 5.6.20 and earlier | |
CVE-2014-0224 | MySQL Server | MySQL Protocol | SERVER:SSL:OpenSSL | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | 5.6.19 and earlier | See Note 1 |
CVE-2014-6530 | MySQL Server | MySQL Protocol | CLIENT:MYSQLDUMP | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-6555 | MySQL Server | MySQL Protocol | SERVER:DML | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
CVE-2014-6489 | MySQL Server | MySQL Protocol | SERVER:SP | No | 5.5 | Network | Low | Single | None | Partial | Partial+ | 5.6.19 and earlier | |
CVE-2012-5615 | MySQL Server | MySQL Protocol | SERVER:PRIVILEGES AUTHENTICATION PLUGIN API | Yes | 5.0 | Network | Low | None | Partial | None | None | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-6559 | MySQL Server | MySQL Protocol | C API SSL CERTIFICATE HANDLING | Yes | 4.3 | Network | Medium | None | Partial+ | None | None | 5.5.39 and earlier, 5.6.20 and earlier | |
CVE-2014-6494 | MySQL Server | MySQL Protocol | CLIENT:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | None | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
CVE-2014-6496 | MySQL Server | MySQL Protocol | CLIENT:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | None | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
CVE-2014-6495 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | None | Partial | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-6478 | MySQL Server | MySQL Protocol | SERVER:SSL:yaSSL | Yes | 4.3 | Network | Medium | None | None | Partial | None | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-4274 | MySQL Server | MySQL Protocol | SERVER:MyISAM | No | 4.1 | Local | Medium | Single | Partial+ | Partial+ | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-4287 | MySQL Server | MySQL Protocol | SERVER:CHARACTER SETS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-6520 | MySQL Server | MySQL Protocol | SERVER:DDL | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier | |
CVE-2014-6484 | MySQL Server | MySQL Protocol | SERVER:DML | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-6464 | MySQL Server | MySQL Protocol | SERVER:INNODB DML FOREIGN KEYS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.39 and earlier, 5.6.20 and earlier | |
CVE-2014-6564 | MySQL Server | MySQL Protocol | SERVER:INNODB FULLTEXT SEARCH DML | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.6.19 and earlier | |
CVE-2014-6505 | MySQL Server | MySQL Protocol | SERVER:MEMORY STORAGE ENGINE | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-6474 | MySQL Server | Memcached | SERVER:MEMCACHED | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.19 and earlier | |
CVE-2014-6463 | MySQL Server | MySQL Protocol | SERVER:REPLICATION ROW FORMAT BINARY LOG DML | No | 3.3 | Network | Low | Multiple | None | None | Partial+ | 5.5.38 and earlier, 5.6.19 and earlier | |
CVE-2014-6551 | MySQL Server | MySQL Protocol | CLIENT:MYSQLADMIN | No | 2.1 | Local | Low | None | Partial | None | None | 5.5.38 and earlier, 5.6.19 and earlier |