[debian-mysql] Bug#1015789: mysql-8.0: CVE-2022-21569 CVE-2022-21556 CVE-2022-21553 CVE-2022-21550 CVE-2022-21547 CVE-2022-21539 CVE-2022-21538 CVE-2022-21537 CVE-2022-21535 CVE-2022-21534 CVE-2022-21531 CVE-2022-21530 CVE-2022-21529 CVE-2022-21528 CVE-2022-21527 CVE-2022-21526 CVE-2022-21525 CVE-2022-21522 CVE-2022-21519 CVE-2022-21517 CVE-2022-21515 CVE-2022-21509 CVE-2022-21455
Moritz Mühlenhoff
jmm at inutil.org
Thu Jul 21 10:51:52 BST 2022
Source: mysql-8.0
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
All fixed in latest CPU:
CVE-2022-21569[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21556[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.28
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized creation, deletion or modification access to critical
| data or all MySQL Server accessible data and unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts).
| CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).
CVE-2022-21553[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21550[3]:
| Vulnerability in the MySQL Cluster product of Oracle MySQL (component:
| Cluster: General). Supported versions that are affected are 7.4.36 and
| prior, 7.5.26 and prior, 7.6.22 and prior and and 8.0.29 and prior.
| Difficult to exploit vulnerability allows high privileged attacker
| with access to the physical communication segment attached to the
| hardware where the MySQL Cluster executes to compromise MySQL Cluster.
| Successful attacks require human interaction from a person other than
| the attacker. Successful attacks of this vulnerability can result in
| takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
CVE-2022-21547[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Federated). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21539[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.29 and prior.
| Difficult to exploit vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| update, insert or delete access to some of MySQL Server accessible
| data as well as unauthorized read access to a subset of MySQL Server
| accessible data and unauthorized ability to cause a partial denial of
| service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 5.0
| (Confidentiality, Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L).
CVE-2022-21538[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Security: Encryption). Supported versions that are affected
| are 8.0.29 and prior. Difficult to exploit vulnerability allows low
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a partial denial of service
| (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21537[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.29 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21535[8]:
| Vulnerability in the MySQL Shell product of Oracle MySQL (component:
| Shell: General/Core Client). Supported versions that are affected are
| 8.0.28 and prior. Difficult to exploit vulnerability allows
| unauthenticated attacker with logon to the infrastructure where MySQL
| Shell executes to compromise MySQL Shell. Successful attacks require
| human interaction from a person other than the attacker. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a partial denial of service (partial DOS) of MySQL Shell. CVSS
| 3.1 Base Score 2.5 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
CVE-2022-21534[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Stored Procedure). Supported versions that are affected are
| 8.0.29 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21531[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21530[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21529[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21528[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server as well as unauthorized update, insert
| or delete access to some of MySQL Server accessible data. CVSS 3.1
| Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2022-21527[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server as well as unauthorized update, insert
| or delete access to some of MySQL Server accessible data. CVSS 3.1
| Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2022-21526[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21525[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21522[17]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Stored Procedure). Supported versions that are affected are
| 8.0.29 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21519[18]:
| Vulnerability in the MySQL Cluster product of Oracle MySQL (component:
| Cluster: General). Supported versions that are affected are 8.0.29 and
| prior. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| MySQL Cluster. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Cluster. CVSS 3.1 Base Score 5.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21517[19]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.29 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21515[20]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Options). Supported versions that are affected are 5.7.38 and
| prior and 8.0.29 and prior. Easily exploitable vulnerability allows
| high privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21509[21]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.29
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server as well as unauthorized update, insert
| or delete access to some of MySQL Server accessible data. CVSS 3.1
| Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2022-21455[22]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: PAM Auth Plugin). Supported versions that are affected are
| 8.0.28 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized creation, deletion or modification access to
| critical data or all MySQL Server accessible data. CVSS 3.1 Base Score
| 4.9 (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-21569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21569
[1] https://security-tracker.debian.org/tracker/CVE-2022-21556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21556
[2] https://security-tracker.debian.org/tracker/CVE-2022-21553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21553
[3] https://security-tracker.debian.org/tracker/CVE-2022-21550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21550
[4] https://security-tracker.debian.org/tracker/CVE-2022-21547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21547
[5] https://security-tracker.debian.org/tracker/CVE-2022-21539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21539
[6] https://security-tracker.debian.org/tracker/CVE-2022-21538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21538
[7] https://security-tracker.debian.org/tracker/CVE-2022-21537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21537
[8] https://security-tracker.debian.org/tracker/CVE-2022-21535
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21535
[9] https://security-tracker.debian.org/tracker/CVE-2022-21534
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21534
[10] https://security-tracker.debian.org/tracker/CVE-2022-21531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21531
[11] https://security-tracker.debian.org/tracker/CVE-2022-21530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21530
[12] https://security-tracker.debian.org/tracker/CVE-2022-21529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21529
[13] https://security-tracker.debian.org/tracker/CVE-2022-21528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21528
[14] https://security-tracker.debian.org/tracker/CVE-2022-21527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21527
[15] https://security-tracker.debian.org/tracker/CVE-2022-21526
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21526
[16] https://security-tracker.debian.org/tracker/CVE-2022-21525
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21525
[17] https://security-tracker.debian.org/tracker/CVE-2022-21522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21522
[18] https://security-tracker.debian.org/tracker/CVE-2022-21519
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21519
[19] https://security-tracker.debian.org/tracker/CVE-2022-21517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21517
[20] https://security-tracker.debian.org/tracker/CVE-2022-21515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21515
[21] https://security-tracker.debian.org/tracker/CVE-2022-21509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21509
[22] https://security-tracker.debian.org/tracker/CVE-2022-21455
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21455
Please adjust the affected versions in the BTS as needed.
More information about the pkg-mysql-maint
mailing list