[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Novel Contributions to the field - How I broke MySQL's code-base (Part 2) [CVE-2016-5541] MySQL cluster remote 0day



 ************************************************************************************
 *
                                              *
 * Copyright (c) 2017, Advanced Information Security Corp / Oracle Inc.    *
 *
                                              *
 *
                                              *
 ************************************************************************************

ABSTRACT
===========

This industry-led research was conducted by Advanced Information
Security co-jointly with Oracle Corporation. The CVE assigned for the
MySQL Cluster issues is CVE-2016-5541. This security research
concluded to multiple zero-day vulnerabilities affecting the 'MySQL
Protocol' protocol. Feasibility of exploitation is remote &
unauthenticated.



The vulnerability can be exploited over the 'MySQL Protocol' protocol.
The 'Cluster: NDBAPI' sub component can be exploited.


VERSIONS AFFECTED
====================

Oracle MySQL Cluster 7.4.12
Oracle MySQL Cluster 7.4.5
Oracle MySQL Cluster 7.3.14
Oracle MySQL Cluster 7.3.8
Oracle MySQL Cluster 7.2.26
Oracle MySQL Cluster 7.2.25
Oracle MySQL Cluster 7.2.19


A full report can be obtained from
https://www.docdroid.net/o2uVeg4/cve-2016-5541.pdf.html


(References)

[1]  Oracle Critical Patch Update - January 2017. 2017. Oracle
Critical Patch Update - January 2017. [ONLINE] Available at:
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html