| VID |
25183 |
| Severity |
30 |
| Port |
3306 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The version of MySQL running on the remote host is 5.5.x prior to 5.5.49. It is, therefore, affected by multiple vulnerabilities :
- An unspecified flaw exists in the Federated subcomponent that allows an authenticated, remote attacker to impact integrity and availability. (CVE-2016-0642)
- An unspecified flaw exists in the DML subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2016-0643)
- An unspecified flaw exists in the FTS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-0647)
- An unspecified flaw exists in the PS subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-0647)
- An unspecified flaw exists in the Security: Privileges subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2016-0666)
- A man-in-the-middle spoofing vulnerability exists due to the server hostname not being verified to match a domain name in the Subject's Common Name (CN) or SubjectAltName field of the X.509 certificate. A man-in-the-middle
attacker can exploit this, by spoofing the TLS/SSL server via a certificate that appears valid, to disclose sensitive information or manipulate transmitted data. (CVE-2016-2047)
* Note: This check solely relied on the banner of the remote MySQL server to assess this vulnerability, so this might be a false positive.
* References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-49.html
* Platforms Affected:
MySQL versions 5.5.x prior to 5.5.49
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of MySQL (5.5.49 or later), available from the MySQL Web site at http://www.mysql.com/ |
| Related URL |
CVE-2016-0642,CVE-2016-0643,CVE-2016-0647,CVE-2016-0648,CVE-2016-0666,CVE-2016-2047 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
