EulerOS 2.0 SP8 : mariadb (EulerOS-SA-2022-1939)

high Nessus Plugin ID 162459

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the mariadb packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- get_sort_by_table in MariaDB before 10.6.2 allows an application crash via certain subquery uses of ORDER BY. (CVE-2021-46657)

- MariaDB before 10.7.2 allows an application crash because it does not recognize that SELECT_LEX::nest_level is local to each VIEW. (CVE-2021-46659)

- MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.
(CVE-2021-46663)

- MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.
(CVE-2021-46664)

- MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations. (CVE-2021-46665)

- MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.
(CVE-2021-46668)

- MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements. (CVE-2022-27377)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected mariadb packages.

See Also

http://www.nessus.org/u?2cbf4143

Plugin Details

Severity: High

ID: 162459

File Name: EulerOS_SA-2022-1939.nasl

Version: 1.3

Type: local

Published: 6/22/2022

Updated: 10/19/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2022-27377

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:mariadb, p-cpe:/a:huawei:euleros:mariadb-common, p-cpe:/a:huawei:euleros:mariadb-devel, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/22/2022

Vulnerability Publication Date: 1/29/2022

Reference Information

CVE: CVE-2021-46657, CVE-2021-46659, CVE-2021-46663, CVE-2021-46664, CVE-2021-46665, CVE-2021-46668, CVE-2022-27377