RHEL 8 : mysql:8.0 (RHSA-2024:0894)

high Nessus Plugin ID 190767

Synopsis

The remote Red Hat host is missing one or more security updates for mysql:8.0.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0894 advisory.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

Security Fix(es):

* mysql: InnoDB unspecified vulnerability (CPU Apr 2023) (CVE-2023-21911)

* mysql: Server: DDL unspecified vulnerability (CPU Apr 2023) (CVE-2023-21919, CVE-2023-21929, CVE-2023-21933)

* mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023) (CVE-2023-21920, CVE-2023-21935, CVE-2023-21945, CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982)

* mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023) (CVE-2023-21940, CVE-2023-21947, CVE-2023-21962)

* mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21953, CVE-2023-21955)

* mysql: Server: JSON unspecified vulnerability (CPU Apr 2023) (CVE-2023-21966)

* mysql: Server: DML unspecified vulnerability (CPU Apr 2023) (CVE-2023-21972)

* mysql: Client programs unspecified vulnerability (CPU Apr 2023) (CVE-2023-21980)

* mysql: Server: Replication unspecified vulnerability (CPU Jul 2023) (CVE-2023-22005, CVE-2023-22007, CVE-2023-22057)

* mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22008)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023) (CVE-2023-22032, CVE-2023-22059, CVE-2023-22064, CVE-2023-22065, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22092, CVE-2023-22103, CVE-2023-22110, CVE-2023-22112)

* mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22033)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023) (CVE-2023-22046, CVE-2023-22054, CVE-2023-22056)

* mysql: Client programs unspecified vulnerability (CPU Jul 2023) (CVE-2023-22053)

* mysql: Server: DDL unspecified vulnerability (CPU Jul 2023) (CVE-2023-22058)

* mysql: InnoDB unspecified vulnerability (CPU Oct 2023) (CVE-2023-22066, CVE-2023-22068, CVE-2023-22084, CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)

* mysql: Server: UDF unspecified vulnerability (CPU Oct 2023) (CVE-2023-22111)

* mysql: Server: DML unspecified vulnerability (CPU Oct 2023) (CVE-2023-22115)

* mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024) (CVE-2024-20960)

* mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024) (CVE-2024-20963)

* mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024) (CVE-2024-20964)

* mysql: Server: Replication unspecified vulnerability (CPU Jan 2024) (CVE-2024-20967)

* mysql: Server: Options unspecified vulnerability (CPU Jan 2024) (CVE-2024-20968)

* mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20969)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024) (CVE-2024-20961, CVE-2024-20962, CVE-2024-20965, CVE-2024-20966, CVE-2024-20970, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973, CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20982)

* mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20981)

* mysql: Server: DML unspecified vulnerability (CPU Jan 2024) (CVE-2024-20983)

* mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024) (CVE-2024-20984)

* mysql: Server: UDF unspecified vulnerability (CPU Jan 2024) (CVE-2024-20985)

* zstd: mysql: buffer overrun in util.c (CVE-2022-4899)

* mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023) (CVE-2023-22038)

* mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023) (CVE-2023-22048)

* mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023) (CVE-2023-22113)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Fix for MySQL bug #33630199 in 8.0.32 introduces regression when --set-gtid-purged=OFF (RHEL-22452)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL mysql:8.0 package based on the guidance in RHSA-2024:0894.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=2188125

https://bugzilla.redhat.com/show_bug.cgi?id=2188127

https://bugzilla.redhat.com/show_bug.cgi?id=2188128

https://bugzilla.redhat.com/show_bug.cgi?id=2188129

https://bugzilla.redhat.com/show_bug.cgi?id=2188130

https://bugzilla.redhat.com/show_bug.cgi?id=2188131

https://bugzilla.redhat.com/show_bug.cgi?id=2188132

https://bugzilla.redhat.com/show_bug.cgi?id=2224211

https://bugzilla.redhat.com/show_bug.cgi?id=2224212

https://bugzilla.redhat.com/show_bug.cgi?id=2224213

https://bugzilla.redhat.com/show_bug.cgi?id=2224214

https://bugzilla.redhat.com/show_bug.cgi?id=2224215

https://bugzilla.redhat.com/show_bug.cgi?id=2224216

https://bugzilla.redhat.com/show_bug.cgi?id=2224217

https://bugzilla.redhat.com/show_bug.cgi?id=2224218

https://bugzilla.redhat.com/show_bug.cgi?id=2224219

https://bugzilla.redhat.com/show_bug.cgi?id=2224220

https://bugzilla.redhat.com/show_bug.cgi?id=2224221

https://bugzilla.redhat.com/show_bug.cgi?id=2224222

https://bugzilla.redhat.com/show_bug.cgi?id=2245014

https://bugzilla.redhat.com/show_bug.cgi?id=2245015

https://bugzilla.redhat.com/show_bug.cgi?id=2245016

https://bugzilla.redhat.com/show_bug.cgi?id=2245017

https://bugzilla.redhat.com/show_bug.cgi?id=2245018

https://bugzilla.redhat.com/show_bug.cgi?id=2245019

https://bugzilla.redhat.com/show_bug.cgi?id=2245020

https://bugzilla.redhat.com/show_bug.cgi?id=2245021

https://bugzilla.redhat.com/show_bug.cgi?id=2245022

https://bugzilla.redhat.com/show_bug.cgi?id=2245023

https://bugzilla.redhat.com/show_bug.cgi?id=2245024

https://bugzilla.redhat.com/show_bug.cgi?id=2245026

https://bugzilla.redhat.com/show_bug.cgi?id=2245027

https://bugzilla.redhat.com/show_bug.cgi?id=2245028

https://bugzilla.redhat.com/show_bug.cgi?id=2245029

https://bugzilla.redhat.com/show_bug.cgi?id=2245030

https://bugzilla.redhat.com/show_bug.cgi?id=2245031

https://bugzilla.redhat.com/show_bug.cgi?id=2245032

https://bugzilla.redhat.com/show_bug.cgi?id=2245033

https://bugzilla.redhat.com/show_bug.cgi?id=2245034

https://bugzilla.redhat.com/show_bug.cgi?id=2258771

https://bugzilla.redhat.com/show_bug.cgi?id=2258772

https://bugzilla.redhat.com/show_bug.cgi?id=2258773

https://bugzilla.redhat.com/show_bug.cgi?id=2258774

https://bugzilla.redhat.com/show_bug.cgi?id=2258775

https://bugzilla.redhat.com/show_bug.cgi?id=2258776

https://bugzilla.redhat.com/show_bug.cgi?id=2258777

https://bugzilla.redhat.com/show_bug.cgi?id=2258778

https://bugzilla.redhat.com/show_bug.cgi?id=2258779

https://bugzilla.redhat.com/show_bug.cgi?id=2258780

https://bugzilla.redhat.com/show_bug.cgi?id=2258781

https://bugzilla.redhat.com/show_bug.cgi?id=2258782

https://bugzilla.redhat.com/show_bug.cgi?id=2258783

https://bugzilla.redhat.com/show_bug.cgi?id=2258784

https://bugzilla.redhat.com/show_bug.cgi?id=2258785

https://bugzilla.redhat.com/show_bug.cgi?id=2258787

https://bugzilla.redhat.com/show_bug.cgi?id=2258788

https://bugzilla.redhat.com/show_bug.cgi?id=2258789

https://bugzilla.redhat.com/show_bug.cgi?id=2258790

https://bugzilla.redhat.com/show_bug.cgi?id=2258791

https://bugzilla.redhat.com/show_bug.cgi?id=2258792

https://bugzilla.redhat.com/show_bug.cgi?id=2258793

https://bugzilla.redhat.com/show_bug.cgi?id=2258794

http://www.nessus.org/u?f3f96111

https://access.redhat.com/errata/RHSA-2024:0894

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2179864

https://bugzilla.redhat.com/show_bug.cgi?id=2188109

https://bugzilla.redhat.com/show_bug.cgi?id=2188113

https://bugzilla.redhat.com/show_bug.cgi?id=2188115

https://bugzilla.redhat.com/show_bug.cgi?id=2188116

https://bugzilla.redhat.com/show_bug.cgi?id=2188117

https://bugzilla.redhat.com/show_bug.cgi?id=2188118

https://bugzilla.redhat.com/show_bug.cgi?id=2188119

https://bugzilla.redhat.com/show_bug.cgi?id=2188120

https://bugzilla.redhat.com/show_bug.cgi?id=2188121

https://bugzilla.redhat.com/show_bug.cgi?id=2188122

https://bugzilla.redhat.com/show_bug.cgi?id=2188123

https://bugzilla.redhat.com/show_bug.cgi?id=2188124

Plugin Details

Severity: High

ID: 190767

File Name: redhat-RHSA-2024-0894.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2/20/2024

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-21980

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:mysql-devel, p-cpe:/a:redhat:enterprise_linux:mysql, p-cpe:/a:redhat:enterprise_linux:mysql-server, p-cpe:/a:redhat:enterprise_linux:mysql-errmsg, p-cpe:/a:redhat:enterprise_linux:mecab, p-cpe:/a:redhat:enterprise_linux:mecab-ipadic, p-cpe:/a:redhat:enterprise_linux:mysql-common, p-cpe:/a:redhat:enterprise_linux:mysql-test, p-cpe:/a:redhat:enterprise_linux:mecab-devel, p-cpe:/a:redhat:enterprise_linux:mecab-ipadic-eucjp, p-cpe:/a:redhat:enterprise_linux:mysql-libs, cpe:/o:redhat:enterprise_linux:8

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 2/20/2024

Vulnerability Publication Date: 3/31/2023

Reference Information

CVE: CVE-2022-4899, CVE-2023-21911, CVE-2023-21919, CVE-2023-21920, CVE-2023-21929, CVE-2023-21933, CVE-2023-21935, CVE-2023-21940, CVE-2023-21945, CVE-2023-21946, CVE-2023-21947, CVE-2023-21953, CVE-2023-21955, CVE-2023-21962, CVE-2023-21966, CVE-2023-21972, CVE-2023-21976, CVE-2023-21977, CVE-2023-21980, CVE-2023-21982, CVE-2023-22005, CVE-2023-22007, CVE-2023-22008, CVE-2023-22032, CVE-2023-22033, CVE-2023-22038, CVE-2023-22046, CVE-2023-22048, CVE-2023-22053, CVE-2023-22054, CVE-2023-22056, CVE-2023-22057, CVE-2023-22058, CVE-2023-22059, CVE-2023-22064, CVE-2023-22065, CVE-2023-22066, CVE-2023-22068, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22084, CVE-2023-22092, CVE-2023-22097, CVE-2023-22103, CVE-2023-22104, CVE-2023-22110, CVE-2023-22111, CVE-2023-22112, CVE-2023-22113, CVE-2023-22114, CVE-2023-22115, CVE-2024-20960, CVE-2024-20961, CVE-2024-20962, CVE-2024-20963, CVE-2024-20964, CVE-2024-20965, CVE-2024-20966, CVE-2024-20967, CVE-2024-20968, CVE-2024-20969, CVE-2024-20970, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973, CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20981, CVE-2024-20982, CVE-2024-20983, CVE-2024-20984, CVE-2024-20985, CVE-2024-20993, CVE-2024-21049, CVE-2024-21050, CVE-2024-21051, CVE-2024-21052, CVE-2024-21053, CVE-2024-21055, CVE-2024-21056, CVE-2024-21057, CVE-2024-21061, CVE-2024-21137, CVE-2024-21200

CWE: 400

IAVA: 2023-A-0212-S, 2023-A-0368-S, 2023-A-0562, 2024-A-0034-S

RHSA: 2024:0894