こんにちは。SIOS OSSエバンジェリスト/セキュリティ担当の面です。

4月21日に月例のOracle Critical Patch Update Advisoryが公開されました。今回はこの中のMySQLの脆弱性についてまとめてみます。

Moderate

JAVA SE 6 Update113, JAVA SE 7 Update99, JAVA SE 8 Update77 以前の全てのバージョン

• CVE-2016-2176
• OpenSSL1.0.1t/1.0.2h以前のバージョンであったx509のX509_NAME_oneline()関数によるバッファーオーバーリードの問題

• 重要度 - Low

• CVE-2016-3092

• Apache Commons FileUpload におけるサービス運用妨害 (DoS) の脆弱性

• 重要度 - Moderate

• CVE-2016-6303

• MDC2_Update()関数の呼出しにヒープベースバッファオーバーフロー

• 重要度 - Moderate

• CVE-2017-3302

• libmysqlclient.soにuse-after-freeの問題

• 重要度 - Low

• CVE-2017-3304

• MySQL Clusterの問題

• CVE-2017-3305

• Riddle : CVE-2017-3305

• 重要度 - Moderate

• CVE-2017-3306

• MySQL Enterprise Monitorの問題

• CVE-2017-3307

• MySQL Enterprise Monitorの問題

• 重要度 - Critical

• CVE-2017-3308

• Server:DMLの脆弱性

• 重要度 - Important

• CVE-2017-3309

• Server:Optimizerの脆弱性

• 重要度 - Important

• CVE-2017-3329

• Server: スレッドプーリングの脆弱性

• 重要度 - Moderate

• CVE-2017-3331

• Server:DMLの脆弱性

• 重要度 - Moderate

• CVE-2017-3450

• Server:Memcachedの脆弱性

• 重要度 - Moderate

• CVE-2017-3452

• Server:Optimizerの脆弱性

• 重要度 - Moderate

• CVE-2017-3453

• Server:Optimizerの脆弱性

• 重要度 - Moderate

• CVE-2017-3454

• Server:InnoDBの脆弱性

• 重要度 - Moderate

• CVE-2017-3455

• Server:Security:privilegsの脆弱性

• 重要度 - Moderate

• CVE-2017-3456

• Server:DMLの脆弱性

• 重要度 - Moderate

• CVE-2017-3457

• Server:DMLの脆弱性

• 重要度 - Moderate

• CVE-2017-3458

• Server:DMLの脆弱性

• 重要度 - Moderate

• CVE-2017-3459

• Server:Optimizerの脆弱性

• 重要度 - Moderate

• CVE-2017-3460

• Server:Audit Plug-inの脆弱性

• 重要度 - Moderate

• CVE-2017-3461

• Server:Security:privilegsの脆弱性

• 重要度 - Moderate

• CVE-2017-3462

• Server:Security:privilegsの脆弱性

• 重要度 - Moderate

• CVE-2017-3463

• Server:Security:privilegsの脆弱性

• 重要度 - Moderate

• CVE-2017-3464

• Server:DDLの脆弱性

• 重要度 - Moderate

• CVE-2017-3465

• Server:Security:privilegsの脆弱性

• 重要度 - Moderate

• CVE-2017-3467

• Server:CAPIの脆弱性

• 重要度 - Low

• CVE-2017-3468

• Server:Security:Encryptionの脆弱性

• 重要度 - Moderate

• CVE-2017-3469

• MySQL Workbenchの問題

• CVE-2017-3523

• MySQL Connectorの問題

• CVE-2017-3586

• MySQL Connectorの問題

• CVE-2017-3589

• MySQL Connectorの問題

• CVE-2017-3590

• MySQL Connectorの問題

• CVE-2017-3599

• Server:Pluggable Authの脆弱性

• 重要度 - Important

• CVE-2017-3600

• データベースやテーブルを作成する特権を持つDBユーザが、mysqldumpツールによるDBリストア中に任意のコマンドを実行できる可能性

• 重要度 - Moderate

• CVE-2017-3731

• 切り詰められた(Truncated)パケットが境界外読み取り(OOB Read)を引き起こしクラッシュさせる(OpenSSL対応)

• 重要度 - Moderate

• CVE-2017-3732

• BN_mod_expがx86_64で不正な結果を提供する可能性(OpenSSL対応)

• 重要度 - Critical

• CVE-2017-5638

• Apache Struts2の脆弱性の対応

• 重要度 - Critical

詳細は、各ディストリビューションの提供元にご確認ください

• Debian

• https://security-tracker.debian.org/tracker/CVE-2016-2176

• https://security-tracker.debian.org/tracker/CVE-2016-3092

• https://security-tracker.debian.org/tracker/CVE-2016-6303

• https://security-tracker.debian.org/tracker/CVE-2017-3302

• https://security-tracker.debian.org/tracker/CVE-2017-3305

• https://security-tracker.debian.org/tracker/CVE-2017-3308

• https://security-tracker.debian.org/tracker/CVE-2017-3309

• https://security-tracker.debian.org/tracker/CVE-2017-3329

• https://security-tracker.debian.org/tracker/CVE-2017-3331

• https://security-tracker.debian.org/tracker/CVE-2017-3450

• https://security-tracker.debian.org/tracker/CVE-2017-3452

• https://security-tracker.debian.org/tracker/CVE-2017-3453

• https://security-tracker.debian.org/tracker/CVE-2017-3454

• https://security-tracker.debian.org/tracker/CVE-2017-3455

• https://security-tracker.debian.org/tracker/CVE-2017-3456

• https://security-tracker.debian.org/tracker/CVE-2017-3457

• https://security-tracker.debian.org/tracker/CVE-2017-3458

• https://security-tracker.debian.org/tracker/CVE-2017-3459

• https://security-tracker.debian.org/tracker/CVE-2017-3460

• https://security-tracker.debian.org/tracker/CVE-2017-3461

• https://security-tracker.debian.org/tracker/CVE-2017-3462

• https://security-tracker.debian.org/tracker/CVE-2017-3463

• https://security-tracker.debian.org/tracker/CVE-2017-3464

• https://security-tracker.debian.org/tracker/CVE-2017-3465

• https://security-tracker.debian.org/tracker/CVE-2017-3467

• https://security-tracker.debian.org/tracker/CVE-2017-3468

• https://security-tracker.debian.org/tracker/CVE-2017-3586

• https://security-tracker.debian.org/tracker/CVE-2017-3589

• https://security-tracker.debian.org/tracker/CVE-2017-3590

• https://security-tracker.debian.org/tracker/CVE-2017-3599

• https://security-tracker.debian.org/tracker/CVE-2017-3600

• https://security-tracker.debian.org/tracker/CVE-2017-3731

• https://security-tracker.debian.org/tracker/CVE-2017-3732

• https://security-tracker.debian.org/tracker/CVE-2017-5638

• Red Hat Enterprise Linux/CentOS

• https://access.redhat.com/security/cve/CVE-2016-2176

• https://access.redhat.com/security/cve/CVE-2016-3092

• https://access.redhat.com/security/cve/CVE-2016-6303

• https://access.redhat.com/security/cve/CVE-2017-3302

• https://access.redhat.com/security/cve/CVE-2017-3305

• https://access.redhat.com/security/cve/CVE-2017-3308

• https://access.redhat.com/security/cve/CVE-2017-3309

• https://access.redhat.com/security/cve/CVE-2017-3329

• https://access.redhat.com/security/cve/CVE-2017-3331

• https://access.redhat.com/security/cve/CVE-2017-3450

• https://access.redhat.com/security/cve/CVE-2017-3452

• https://access.redhat.com/security/cve/CVE-2017-3453

• https://access.redhat.com/security/cve/CVE-2017-3454

• https://access.redhat.com/security/cve/CVE-2017-3455

• https://access.redhat.com/security/cve/CVE-2017-3456

• https://access.redhat.com/security/cve/CVE-2017-3457

• https://access.redhat.com/security/cve/CVE-2017-3458

• https://access.redhat.com/security/cve/CVE-2017-3459

• https://access.redhat.com/security/cve/CVE-2017-3460

• https://access.redhat.com/security/cve/CVE-2017-3461

• https://access.redhat.com/security/cve/CVE-2017-3462

• https://access.redhat.com/security/cve/CVE-2017-3463

• https://access.redhat.com/security/cve/CVE-2017-3464

• https://access.redhat.com/security/cve/CVE-2017-3465

• https://access.redhat.com/security/cve/CVE-2017-3467

• https://access.redhat.com/security/cve/CVE-2017-3468

• https://access.redhat.com/security/cve/CVE-2017-3586

• https://access.redhat.com/security/cve/CVE-2017-3589

• https://access.redhat.com/security/cve/CVE-2017-3590

• https://access.redhat.com/security/cve/CVE-2017-3599

• https://access.redhat.com/security/cve/CVE-2017-3600

• https://access.redhat.com/security/cve/CVE-2017-3731

• https://access.redhat.com/security/cve/CVE-2017-3732

• https://access.redhat.com/security/cve/CVE-2017-5638

• Oracle Linux

• Oracle Linux 6

• Oracle Linux 7

• SUSE

• https://www.suse.com/security/cve/CVE-2016-2176

• https://www.suse.com/security/cve/CVE-2016-3092

• https://www.suse.com/security/cve/CVE-2016-6303

• https://www.suse.com/security/cve/CVE-2017-3302

• https://www.suse.com/security/cve/CVE-2017-3305

• https://www.suse.com/security/cve/CVE-2017-3308

• https://www.suse.com/security/cve/CVE-2017-3309

• https://www.suse.com/security/cve/CVE-2017-3329

• https://www.suse.com/security/cve/CVE-2017-3331

• https://www.suse.com/security/cve/CVE-2017-3450

• https://www.suse.com/security/cve/CVE-2017-3452

• https://www.suse.com/security/cve/CVE-2017-3453

• https://www.suse.com/security/cve/CVE-2017-3454

• https://www.suse.com/security/cve/CVE-2017-3455

• https://www.suse.com/security/cve/CVE-2017-3456

• https://www.suse.com/security/cve/CVE-2017-3457

• https://www.suse.com/security/cve/CVE-2017-3458

• https://www.suse.com/security/cve/CVE-2017-3459

• https://www.suse.com/security/cve/CVE-2017-3460

• https://www.suse.com/security/cve/CVE-2017-3461

• https://www.suse.com/security/cve/CVE-2017-3462

• https://www.suse.com/security/cve/CVE-2017-3463

• https://www.suse.com/security/cve/CVE-2017-3464

• https://www.suse.com/security/cve/CVE-2017-3465

• https://www.suse.com/security/cve/CVE-2017-3467

• https://www.suse.com/security/cve/CVE-2017-3468

• https://www.suse.com/security/cve/CVE-2017-3586

• https://www.suse.com/security/cve/CVE-2017-3589

• https://www.suse.com/security/cve/CVE-2017-3590

• https://www.suse.com/security/cve/CVE-2017-3599

• https://www.suse.com/security/cve/CVE-2017-3600

• https://www.suse.com/security/cve/CVE-2017-3731

• https://www.suse.com/security/cve/CVE-2017-3732

• https://www.suse.com/security/cve/CVE-2017-5638

• ubuntu

• http://people.canonical.com/%7Eubuntu-security/cve/2016/CVE-2016-2176.html

• http://people.canonical.com/%7Eubuntu-security/cve/2016/CVE-2016-3092.html

• http://people.canonical.com/%7Eubuntu-security/cve/2016/CVE-2016-6303.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3302.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3305.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3308.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3309.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3329.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3331.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3450.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3452.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3453.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3454.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3455.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3456.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3457.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3458.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3459.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3460.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3461.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3462.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3463.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3464.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3465.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3467.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3468.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3586.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3589.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3590.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3599.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3600.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3731.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-3732.html

• http://people.canonical.com/%7Eubuntu-security/cve/2017/CVE-2017-5638.html

Oracle Critical Patch Update Advisory - April 2017