Database Security Digest, June-July 2016

According to latest IBM Security report released this June, the average cost of a data breach hit $4 million, representing an increase for 29% since 2013. Every lost or stolen record costs for corporations approximately $158. There is also a dismal 64% increase in reported security incidents. Results of the report imply that cyber-attacks are improving and getting hacked becomes more expensive, which reminds the importance of being up-to-date when it comes to information security. Here is the digest of recently released DBMS updates and information about most important fixed vulnerabilities.

Extensive Patching by Oracle

Oracle continues to extend the sphere of its influence by reaching a $9.3 billion worth agreement to acquire NetSuite, which is a company that sells a group of software services used to manage business’s operations and customers relations for more than 30,000 organizations. Right before the huge bargain announcement Oracle has released next scheduled Critical Patch Update surpassing its previous unwanted record for the number of security fixes by troubleshooting 27.6 problems across various products, including Oracle Database Server and Oracle MySQL.

For Oracle MySQL Critical Patch Update contains 22 new security fixes. 3 of these vulnerabilities (CVE-2016-2105, CVE-2016-5444, CVE-2016-3452) may be remotely exploitable without authentication. Here is the Oracle MySQL risk matrix:

 

CVE#ComponentSub-
component
ProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
CVE-2016-3477MySQL ServerServer: ParserNoneNo8.1LocalHighNoneNone5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3440MySQL ServerServer: OptimizerMySQL ProtocolNo7.7NetworkLowLowNone5.7.11 and earlier
CVE-2016-2105MySQL ServerServer: Security: EncryptionMySQL ProtocolYes7.5NetworkLowNoneNone5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3471MySQL ServerServer: OptionNoneNo7.5LocalHighHighNone5.5.45 and earlier, 5.6.26 and earlier
CVE-2016-3486MySQL ServerServer: FTSMySQL ProtocolNo6.5NetworkLowLowNone5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3501MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNone5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3518MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNone5.7.12 and earlier
CVE-2016-3521MySQL ServerServer: TypesMySQL ProtocolNo6.5NetworkLowLowNone5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3588MySQL ServerServer: InnoDBMySQL ProtocolNo5.9NetworkHighLowNone5.7.12 and earlier
CVE-2016-3615MySQL ServerServer: DMLMySQL ProtocolNo5.3NetworkHighLowNone5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3614MySQL ServerServer: Security: EncryptionMySQL ProtocolNo5.3NetworkHighLowNone5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5436MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkLowHighNone5.7.12 and earlier
CVE-2016-3459MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkLowHighNone5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5437MySQL ServerServer: LogMySQL ProtocolNo4.9NetworkLowHighNone5.7.12 and earlier
CVE-2016-3424MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNone5.7.12 and earlier
CVE-2016-5439MySQL ServerServer: PrivilegesMySQL ProtocolNo4.9NetworkLowHighNone5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5440MySQL ServerServer: RBRMySQL ProtocolNo4.9NetworkLowHighNone5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5441MySQL ServerServer: ReplicationMySQL ProtocolNo4.9NetworkLowHighNone5.7.12 and earlier
CVE-2016-5442MySQL ServerServer: Security: EncryptionMySQL ProtocolNo4.9NetworkLowHighNone5.7.12 and earlier
CVE-2016-5443MySQL ServerServer: ConnectionNoneNo4.7LocalHighNoneRequired5.7.12 and earlier
CVE-2016-5444MySQL ServerServer: ConnectionMySQL ProtocolYes3.7NetworkHighNoneNone5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-3452MySQL ServerServer: Security: EncryptionMySQL ProtocolYes3.7NetworkHighNoneNone5.5.48 and earlier, 5.6.29 and earlier, 5.7.10 and earlier

For Oracle Database Server Critical Patch Update contains 9 new security fixes. 5 of these vulnerabilities (CVE-2016-3506, CVE-2016-3479, CVE-2016-3448, CVE-2016-3467, CVE-2015-0204) may be remotely exploitable without authentication.

Oracle Database Server Risk Matrix

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
CVE-2016-3609OJVMCreate SessionMultipleNo9.0NetworkLowLowRequired11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-3506JDBCNoneOracle NetYes8.1NetworkHighNoneNone11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-3479Portable ClusterwareNoneOracle NetYes7.5NetworkLowNoneNone11.2.0.4, 12.1.0.2
CVE-2016-3489Data Pump ImportIndex on SYS.INCVIDOracle NetNo6.7LocalLowHighNone11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-3448Application ExpressNoneHTTPYes6.1NetworkLowNoneRequiredPrior to 5.0.4
CVE-2016-3467Application ExpressNoneHTTPYes5.8NetworkLowNoneNonePrior to 5.0.4
CVE-2015-0204RDBMSHTTPS ListenerHTTPSYes5.3NetworkHighNoneRequired12.1.0.1, 12.1.0.2
CVE-2016-3488DB ShardingExecute on gsmadmin_internalOracle NetNo4.4LocalLowHighNone12.1.0.2
CVE-2016-3484Database VaultCreate Public SynonymOracle NetNo3.4LocalLowHighNone11.2.0.4, 12.1.0.1, 12.1.0.2

As for the other Oracle products nineteen fixed vulnerabilities across nine different products have a rating of 9.8 by CVSS 3.0, with this in mind, for many users it will be essential to install the patch.

MySQL 5.7.13 Release

MySQL 5.7.13 has been officially released in June. The new version of MySQL Server has an SQL interface for keyring key management, it is implemented as a set of user-defined functions (UDFs) that access the functions provided by the internal keyring service.Here are security vulnerabilities fixed in the new version:

CVE-2016-2106 (OpenSSL advisory, low severity)

Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

CVE-2016-2105 (OpenSSL advisory, low severity)

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

CVE-2016-2109 (OpenSSL advisory, low severity)

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

CVE-2016-2107 (OpenSSL advisory, high severity)

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

CVE-2016-2176 (OpenSSL advisory, low severity)

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

More Updates

Greenplum Database 4.3.8.1 is a maintenance release that doesn’t add new features, but it resolves some known issues and includes enhancements of performance and stability, gpdbrestore utility, gpcheckcat utility, gpload utility, external table s3 protocol and MADlib extension.

Alpha version of MariaDB 10.2.1 was released in July. MariaDB 10.2 is an evolution of MariaDB 10.1 with some new features that are not found anywhere else and with features reimplemented from MySQL 5.6 and 5.7. MariaDB 10.2.1 is in an Alpha state.

The PostgreSQL Global Development Group announced that PostgreSQL 9.6 Beta 3 is available for download. This release includes previews of all of the features which will be available in the final release of version 9.6, including fixes to many of the issues found in the previous betas. The final release of PostgreSQL will be in late 2016.