Skip to content

OSG-SEC-2018-04-17 Vulnerability in MariaDB MySQL

Dear OSG Security Contacts,

A vulnerability has been reported in the MariaDB MySQL that has been rated as ‘up to HIGH’ by EGI [1]. This vulnerability described in CVE-2018-2562, allows a low privileged attacker with network access via multiple protocols to compromise a MySQL Server.

Impacted Versions/Environments:

Following versions are affected - MariaDB 10.2.12 (prior versions have not been tested) - MariaDB 10.1.30 (prior versions have not been tested) - MariaDB 10.0.33 (prior versions have not been tested) - MariaDB 5.5.58 and prior

Action Recommendations: Sites running MySQL should update to the most current version if they are running distributions where a patch is available. The vulnerability has been patched in the following version of MariaDB. - MariaDB 10.2.13 and later [2] - MariaDB 10.1.31 and later [3] - MariaDB 10.0.34 and later [4] - MariaDB 5.5.59 [5]

Also ensure that MySQL is not directly accessible from the network unless it is essential for the application.

How It Works:

This vulnerability allows low privileged attacker with network access via multiple protocols to compromise a MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.

  • https://ticket.opensciencegrid.org/37043

More Information: - [1] https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2018-2562 - [2] https://mariadb.com/kb/en/library/mariadb-102/ - [3] https://mariadb.com/kb/en/library/mariadb-101/ - [4] https://mariadb.com/kb/en/library/mariadb-100/ - [5] https://mariadb.com/kb/en/library/mariadb-55/

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team