Database Security Digest, June-July 2016

According to latest IBM Security report released this June, the average cost of a data breach hit $4 million, representing an increase for 29% since 2013. Every lost or stolen record costs for corporations approximately $158. There is also a dismal 64% increase in reported security incidents. Results of the report imply that cyber-attacks are improving and getting hacked becomes more expensive, which reminds the importance of being up-to-date when it comes to information security. Here is the digest of recently released DBMS updates and information about most important fixed vulnerabilities.

Extensive Patching by Oracle

Oracle continues to extend the sphere of its influence by reaching a $9.3 billion worth agreement to acquire NetSuite, which is a company that sells a group of software services used to manage business’s operations and customers relations for more than 30,000 organizations. Right before the huge bargain announcement Oracle has released next scheduled Critical Patch Update surpassing its previous unwanted record for the number of security fixes by troubleshooting 27.6 problems across various products, including Oracle Database Server and Oracle MySQL.

For Oracle MySQL Critical Patch Update contains 22 new security fixes. 3 of these vulnerabilities (CVE-2016-2105, CVE-2016-5444, CVE-2016-3452) may be remotely exploitable without authentication. Here is the Oracle MySQL risk matrix:

 
CVE#ComponentSub- componentProtocolRemote Exploit without Auth.?Base ScoreAttack VectorAttack ComplexPrivs Req'dUser Interact
CVE-2016-3477MySQL ServerServer: ParserNoneNo8.1LocalHighNoneNone
CVE-2016-3440MySQL ServerServer: OptimizerMySQL ProtocolNo7.7NetworkLowLowNone
CVE-2016-2105MySQL ServerServer: Security: EncryptionMySQL ProtocolYes7.5NetworkLowNoneNone
CVE-2016-3471MySQL ServerServer: OptionNoneNo7.5LocalHighHighNone
CVE-2016-3486MySQL ServerServer: FTSMySQL ProtocolNo6.5NetworkLowLowNone
CVE-2016-3501MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNone
CVE-2016-3518MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNone
CVE-2016-3521MySQL ServerServer: TypesMySQL ProtocolNo6.5NetworkLowLowNone
CVE-2016-3588MySQL ServerServer: InnoDBMySQL ProtocolNo5.9NetworkHighLowNone
CVE-2016-3615MySQL ServerServer: DMLMySQL ProtocolNo5.3NetworkHighLowNone
CVE-2016-3614MySQL ServerServer: Security: EncryptionMySQL ProtocolNo5.3NetworkHighLowNone
CVE-2016-5436MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-3459MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-5437MySQL ServerServer: LogMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-3424MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-5439MySQL ServerServer: PrivilegesMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-5440MySQL ServerServer: RBRMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-5441MySQL ServerServer: ReplicationMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-5442MySQL ServerServer: Security: EncryptionMySQL ProtocolNo4.9NetworkLowHighNone
CVE-2016-5443MySQL ServerServer: ConnectionNoneNo4.7LocalHighNoneRequired
CVE-2016-5444MySQL ServerServer: ConnectionMySQL ProtocolYes3.7NetworkHighNoneNone
CVE-2016-3452MySQL ServerServer: Security: EncryptionMySQL ProtocolYes3.7NetworkHighNoneNone

For Oracle Database Server Critical Patch Update contains 9 new security fixes. 5 of these vulnerabilities (CVE-2016-3506, CVE-2016-3479, CVE-2016-3448, CVE-2016-3467, CVE-2015-0204) may be remotely exploitable without authentication.

Oracle Database Server Risk Matrix

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote Exploit without Auth.?Base ScoreAttack VectorAttack ComplexPrivs Req'dUser Interact
CVE-2016-3609OJVMCreate SessionMultipleNo9.0NetworkLowLowRequired
CVE-2016-3506JDBCNoneOracle NetYes8.1NetworkHighNoneNone
CVE-2016-3479Portable ClusterwareNoneOracle NetYes7.5NetworkLowNoneNone
CVE-2016-3489Data Pump ImportIndex on SYS.INCVIDOracle NetNo6.7LocalLowHighNone
CVE-2016-3448Application ExpressNoneHTTPYes6.1NetworkLowNoneRequired
CVE-2016-3467Application ExpressNoneHTTPYes5.8NetworkLowNoneNone
CVE-2015-0204RDBMSHTTPS ListenerHTTPSYes5.3NetworkHighNoneRequired
CVE-2016-3488DB ShardingExecute on gsmadmin_internalOracle NetNo4.4LocalLowHighNone
CVE-2016-3484Database VaultCreate Public SynonymOracle NetNo3.4LocalLowHighNone

As for the other Oracle products nineteen fixed vulnerabilities across nine different products have a rating of 9.8 by CVSS 3.0, with this in mind, for many users it will be essential to install the patch.

MySQL 5.7.13 Release

MySQL 5.7.13 has been officially released in June. The new version of MySQL Server has an SQL interface for keyring key management, it is implemented as a set of user-defined functions (UDFs) that access the functions provided by the internal keyring service.Here are security vulnerabilities fixed in the new version:

CVE-2016-2106 (OpenSSL advisory, low severity)

Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

CVE-2016-2105 (OpenSSL advisory, low severity)

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

CVE-2016-2109 (OpenSSL advisory, low severity)

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

CVE-2016-2107 (OpenSSL advisory, high severity)

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

CVE-2016-2176 (OpenSSL advisory, low severity)

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

More Updates

Greenplum Database 4.3.8.1 is a maintenance release that doesn’t add new features, but it resolves some known issues and includes enhancements of performance and stability, gpdbrestore utility, gpcheckcat utility, gpload utility, external table s3 protocol and MADlib extension.

Alpha version of MariaDB 10.2.1 was released in July. MariaDB 10.2 is an evolution of MariaDB 10.1 with some new features that are not found anywhere else and with features reimplemented from MySQL 5.6 and 5.7. MariaDB 10.2.1 is in an Alpha state.

The PostgreSQL Global Development Group announced that PostgreSQL 9.6 Beta 3 is available for download. This release includes previews of all of the features which will be available in the final release of version 9.6, including fixes to many of the issues found in the previous betas. The final release of PostgreSQL will be in late 2016.