[debian-mysql] Bug#1029151: mysql-8.0: CVE-2023-21863 CVE-2023-21867 CVE-2023-21868 CVE-2023-21869 CVE-2023-21870 CVE-2023-21871 CVE-2023-21873 CVE-2023-21875 CVE-2023-21876 CVE-2023-21877 CVE-2023-21878 CVE-2023-21879 CVE-2023-21880 CVE-2023-21881 CVE-2023-21882 CVE-2023-21883 CVE-2023-21887

[Moritz Mühlenhoff]

Source: mysql-8.0
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for mysql-8.0.

All fixed in 8.0.32.

CVE-2023-21863[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21867[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21868[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21869[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.31 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server as well as unauthorized update, insert or delete
| access to some of MySQL Server accessible data. CVSS 3.1 Base Score
| 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).


CVE-2023-21870[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21871[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.31 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21873[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21875[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Security: Encryption). Supported versions that are affected
| are 8.0.31 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized creation, deletion or modification access to
| critical data or all MySQL Server accessible data and unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H).


CVE-2023-21876[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21877[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.31 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server as well as unauthorized update, insert or delete
| access to some of MySQL Server accessible data. CVSS 3.1 Base Score
| 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).


CVE-2023-21878[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21879[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21880[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.31 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server as well as unauthorized update, insert or delete
| access to some of MySQL Server accessible data. CVSS 3.1 Base Score
| 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).


CVE-2023-21881[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21882[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized update, insert or delete access to some of MySQL Server
| accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).


CVE-2023-21883[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.31
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21887[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: GIS). Supported versions that are affected are 8.0.31 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-21863
    https://www.cve.org/CVERecord?id=CVE-2023-21863
[1] https://security-tracker.debian.org/tracker/CVE-2023-21867
    https://www.cve.org/CVERecord?id=CVE-2023-21867
[2] https://security-tracker.debian.org/tracker/CVE-2023-21868
    https://www.cve.org/CVERecord?id=CVE-2023-21868
[3] https://security-tracker.debian.org/tracker/CVE-2023-21869
    https://www.cve.org/CVERecord?id=CVE-2023-21869
[4] https://security-tracker.debian.org/tracker/CVE-2023-21870
    https://www.cve.org/CVERecord?id=CVE-2023-21870
[5] https://security-tracker.debian.org/tracker/CVE-2023-21871
    https://www.cve.org/CVERecord?id=CVE-2023-21871
[6] https://security-tracker.debian.org/tracker/CVE-2023-21873
    https://www.cve.org/CVERecord?id=CVE-2023-21873
[7] https://security-tracker.debian.org/tracker/CVE-2023-21875
    https://www.cve.org/CVERecord?id=CVE-2023-21875
[8] https://security-tracker.debian.org/tracker/CVE-2023-21876
    https://www.cve.org/CVERecord?id=CVE-2023-21876
[9] https://security-tracker.debian.org/tracker/CVE-2023-21877
    https://www.cve.org/CVERecord?id=CVE-2023-21877
[10] https://security-tracker.debian.org/tracker/CVE-2023-21878
    https://www.cve.org/CVERecord?id=CVE-2023-21878
[11] https://security-tracker.debian.org/tracker/CVE-2023-21879
    https://www.cve.org/CVERecord?id=CVE-2023-21879
[12] https://security-tracker.debian.org/tracker/CVE-2023-21880
    https://www.cve.org/CVERecord?id=CVE-2023-21880
[13] https://security-tracker.debian.org/tracker/CVE-2023-21881
    https://www.cve.org/CVERecord?id=CVE-2023-21881
[14] https://security-tracker.debian.org/tracker/CVE-2023-21882
    https://www.cve.org/CVERecord?id=CVE-2023-21882
[15] https://security-tracker.debian.org/tracker/CVE-2023-21883
    https://www.cve.org/CVERecord?id=CVE-2023-21883
[16] https://security-tracker.debian.org/tracker/CVE-2023-21887
    https://www.cve.org/CVERecord?id=CVE-2023-21887

Please adjust the affected versions in the BTS as needed.