Vulnerabilities > CVE-2017-3322 - Unspecified vulnerability in Oracle Mysql Cluster
Summary
Vulnerability in the MySQL Cluster component of Oracle MySQL (subcomponent: Cluster: NDBAPI). Supported versions that are affected are 7.2.25 and earlier, 7.3.14 and earlier, 7.4.12 and earlier and . Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS v3.0 Base Score 3.7 (Availability impacts).
Vulnerable Configurations
Nessus
NASL family Databases NASL id MYSQL_CLUSTER_7_3_15.NASL description The version of MySQL Cluster running on the remote host is 7.3.x prior to 7.3.15. It is, therefore, affected by multiple vulnerabilities : - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to update, insert, or delete arbitrary data. (CVE-2016-5541) - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3322) - An unspecified flaw exists in the General subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3323) last seen 2020-06-01 modified 2020-06-02 plugin id 96726 published 2017-01-24 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96726 title MySQL Cluster 7.3.x < 7.3.15 Multiple Vulnerabilities (January 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96726); script_version("1.6"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2016-5541", "CVE-2017-3322", "CVE-2017-3323"); script_bugtraq_id(95574, 95575, 95592); script_name(english:"MySQL Cluster 7.3.x < 7.3.15 Multiple Vulnerabilities (January 2017 CPU)"); script_summary(english:"Checks the MySQL Cluster version."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of MySQL Cluster running on the remote host is 7.3.x prior to 7.3.15. It is, therefore, affected by multiple vulnerabilities : - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to update, insert, or delete arbitrary data. (CVE-2016-5541) - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3322) - An unspecified flaw exists in the General subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3323)"); # https://dev.mysql.com/doc/relnotes/mysql-cluster/7.3/en/mysql-cluster-news-7-3-15.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?27ecedfe"); # http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1c38e52"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL Cluster version 7.3.15 or later as referenced in the January 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5541"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/24"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_cluster"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/mysql", 3306); exit(0); } include("mysql_version.inc"); mysql_check_version(variant:'Cluster', fixed:'7.3.15', min:'7.3', severity:SECURITY_WARNING);
NASL family Databases NASL id MYSQL_CLUSTER_7_2_26.NASL description The version of MySQL Cluster running on the remote host is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple denial of service vulnerabilities : - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3322) - An unspecified flaw exists in the General subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3323) last seen 2020-06-01 modified 2020-06-02 plugin id 96724 published 2017-01-24 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96724 title MySQL Cluster 7.2.x < 7.2.26 Multiple DoS (January 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96724); script_version("1.5"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-3322", "CVE-2017-3323"); script_bugtraq_id(95574, 95575); script_name(english:"MySQL Cluster 7.2.x < 7.2.26 Multiple DoS (January 2017 CPU)"); script_summary(english:"Checks the MySQL Cluster version."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple denial of service vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of MySQL Cluster running on the remote host is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple denial of service vulnerabilities : - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3322) - An unspecified flaw exists in the General subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3323)"); # https://dev.mysql.com/doc/relnotes/mysql-cluster/7.2/en/mysql-cluster-news-7-2-26.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fdc494c4"); # http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1c38e52"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL Cluster version 7.2.26 or later as referenced in the January 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3323"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/24"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_cluster"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/mysql", 3306); exit(0); } include("mysql_version.inc"); mysql_check_version(variant:'Cluster', fixed:'7.2.26', min:'7.2', severity:SECURITY_WARNING);
NASL family Databases NASL id MYSQL_CLUSTER_7_4_13.NASL description The version of MySQL Cluster running on the remote host is 7.4.x prior to 7.4.13. It is, therefore, affected by multiple vulnerabilities : - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to update, insert, or delete arbitrary data. (CVE-2016-5541) - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3322) - An unspecified flaw exists in the General subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3323) last seen 2020-06-01 modified 2020-06-02 plugin id 96728 published 2017-01-24 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96728 title MySQL Cluster 7.4.x < 7.4.13 Multiple Vulnerabilities (January 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96728); script_version("1.6"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2016-5541", "CVE-2017-3322", "CVE-2017-3323"); script_bugtraq_id(95574, 95575, 95592); script_name(english:"MySQL Cluster 7.4.x < 7.4.13 Multiple Vulnerabilities (January 2017 CPU)"); script_summary(english:"Checks the MySQL Cluster version."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of MySQL Cluster running on the remote host is 7.4.x prior to 7.4.13. It is, therefore, affected by multiple vulnerabilities : - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to update, insert, or delete arbitrary data. (CVE-2016-5541) - An overflow condition exists in the NDBAPI subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3322) - An unspecified flaw exists in the General subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3323)"); # https://dev.mysql.com/doc/relnotes/mysql-cluster/7.4/en/mysql-cluster-news-7-4-13.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b0fbd72e"); # http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1c38e52"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL Cluster version 7.4.13 or later as referenced in the January 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5541"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/24"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_cluster"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/mysql", 3306); exit(0); } include("mysql_version.inc"); mysql_check_version(variant:'Cluster', fixed:'7.4.13', min:'7.4', severity:SECURITY_WARNING);
References
- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
- http://www.securityfocus.com/bid/95574
- http://www.securityfocus.com/bid/95574
- http://www.securitytracker.com/id/1037640
- http://www.securitytracker.com/id/1037640