Database Security Digest, June-July 2016
According to latest IBM Security report released this June, the average cost of a data breach hit $4 million, representing an increase for 29% since 2013. Every lost or stolen record costs for corporations approximately $158. There is also a dismal 64% increase in reported security incidents. Results of the report imply that cyber-attacks are improving and getting hacked becomes more expensive, which reminds the importance of being up-to-date when it comes to information security. Here is the digest of recently released DBMS updates and information about most important fixed vulnerabilities.
Extensive Patching by Oracle
Oracle continues to extend the sphere of its influence by reaching a $9.3 billion worth agreement to acquire NetSuite, which is a company that sells a group of software services used to manage business’s operations and customers relations for more than 30,000 organizations. Right before the huge bargain announcement Oracle has released next scheduled Critical Patch Update surpassing its previous unwanted record for the number of security fixes by troubleshooting 27.6 problems across various products, including Oracle Database Server and Oracle MySQL.
For Oracle MySQL Critical Patch Update contains 22 new security fixes. 3 of these vulnerabilities (CVE-2016-2105, CVE-2016-5444, CVE-2016-3452) may be remotely exploitable without authentication. Here is the Oracle MySQL risk matrix:
|CVE#||Component||Sub- component||Protocol||Remote Exploit without Auth.?||Base Score||Attack Vector||Attack Complex||Privs Req’d||User Interact|
|CVE-2016-3477||MySQL Server||Server: Parser||None||No||8.1||Local||High||None||None|
|CVE-2016-3440||MySQL Server||Server: Optimizer||MySQL Protocol||No||7.7||Network||Low||Low||None|
|CVE-2016-2105||MySQL Server||Server: Security: Encryption||MySQL Protocol||Yes||7.5||Network||Low||None||None|
|CVE-2016-3471||MySQL Server||Server: Option||None||No||7.5||Local||High||High||None|
|CVE-2016-3486||MySQL Server||Server: FTS||MySQL Protocol||No||6.5||Network||Low||Low||None|
|CVE-2016-3501||MySQL Server||Server: Optimizer||MySQL Protocol||No||6.5||Network||Low||Low||None|
|CVE-2016-3518||MySQL Server||Server: Optimizer||MySQL Protocol||No||6.5||Network||Low||Low||None|
|CVE-2016-3521||MySQL Server||Server: Types||MySQL Protocol||No||6.5||Network||Low||Low||None|
|CVE-2016-3588||MySQL Server||Server: InnoDB||MySQL Protocol||No||5.9||Network||High||Low||None|
|CVE-2016-3615||MySQL Server||Server: DML||MySQL Protocol||No||5.3||Network||High||Low||None|
|CVE-2016-3614||MySQL Server||Server: Security: Encryption||MySQL Protocol||No||5.3||Network||High||Low||None|
|CVE-2016-5436||MySQL Server||Server: InnoDB||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-3459||MySQL Server||Server: InnoDB||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-5437||MySQL Server||Server: Log||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-3424||MySQL Server||Server: Optimizer||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-5439||MySQL Server||Server: Privileges||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-5440||MySQL Server||Server: RBR||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-5441||MySQL Server||Server: Replication||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-5442||MySQL Server||Server: Security: Encryption||MySQL Protocol||No||4.9||Network||Low||High||None|
|CVE-2016-5443||MySQL Server||Server: Connection||None||No||4.7||Local||High||None||Required|
|CVE-2016-5444||MySQL Server||Server: Connection||MySQL Protocol||Yes||3.7||Network||High||None||None|
|CVE-2016-3452||MySQL Server||Server: Security: Encryption||MySQL Protocol||Yes||3.7||Network||High||None||None|
For Oracle Database Server Critical Patch Update contains 9 new security fixes. 5 of these vulnerabilities (CVE-2016-3506, CVE-2016-3479, CVE-2016-3448, CVE-2016-3467, CVE-2015-0204) may be remotely exploitable without authentication.
Oracle Database Server Risk Matrix
|CVE#||Component||Package and/or Privilege Required||Protocol||Remote Exploit without Auth.?||Base Score||Attack Vector||Attack Complex||Privs Req’d||User Interact|
|CVE-2016-3479||Portable Clusterware||None||Oracle Net||Yes||7.5||Network||Low||None||None|
|CVE-2016-3489||Data Pump Import||Index on SYS.INCVID||Oracle Net||No||6.7||Local||Low||High||None|
|CVE-2016-3488||DB Sharding||Execute on gsmadmin_internal||Oracle Net||No||4.4||Local||Low||High||None|
|CVE-2016-3484||Database Vault||Create Public Synonym||Oracle Net||No||3.4||Local||Low||High||None|
As for the other Oracle products nineteen fixed vulnerabilities across nine different products have a rating of 9.8 by CVSS 3.0, with this in mind, for many users it will be essential to install the patch.
MySQL 5.7.13 Release
MySQL 5.7.13 has been officially released in June. The new version of MySQL Server has an SQL interface for keyring key management, it is implemented as a set of user-defined functions (UDFs) that access the functions provided by the internal keyring service.Here are security vulnerabilities fixed in the new version:CVE-2016-2106 (OpenSSL advisory, low severity)
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.CVE-2016-2105 (OpenSSL advisory, low severity)
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.CVE-2016-2109 (OpenSSL advisory, low severity)
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.CVE-2016-2107 (OpenSSL advisory, high severity)
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.CVE-2016-2176 (OpenSSL advisory, low severity)
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Greenplum Database 220.127.116.11 is a maintenance release that doesn’t add new features, but it resolves some known issues and includes enhancements of performance and stability, gpdbrestore utility, gpcheckcat utility, gpload utility, external table s3 protocol and MADlib extension.
Alpha version of MariaDB 10.2.1 was released in July. MariaDB 10.2 is an evolution of MariaDB 10.1 with some new features that are not found anywhere else and with features reimplemented from MySQL 5.6 and 5.7. MariaDB 10.2.1 is in an Alpha state.
The PostgreSQL Global Development Group announced that PostgreSQL 9.6 Beta 3 is available for download. This release includes previews of all of the features which will be available in the final release of version 9.6, including fixes to many of the issues found in the previous betas. The final release of PostgreSQL will be in late 2016.