Details of VAR-201410-0965

ID

VAR-201410-0965

CVE

CVE-2014-6478

TITLE

Oracle MySQL of MySQL Server In SERVER:SSL:yaSSL Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2014-004813

DESCRIPTION

Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect integrity via vectors related to SERVER:SSL:yaSSL. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'SERVER:SSL:yaSSL' sub component is affected. This vulnerability affects the following supported versions: 5.5.39 and earlier, 5.6.20 and earlier. The database system has the characteristics of high performance, low cost and good reliability. A remote attacker could exploit this vulnerability to update, insert, and delete data, affecting data integrity. ============================================================================ Ubuntu Security Notice USN-2384-1 October 15, 2014 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2384-1 CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3054-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 20, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mysql-5.5 CVE ID : CVE-2012-5615 CVE-2014-4274 CVE-2014-4287 CVE-2014-6463 CVE-2014-6464 CVE-2014-6469 CVE-2014-6478 CVE-2014-6484 CVE-2014-6491 CVE-2014-6494 CVE-2014-6495 CVE-2014-6496 CVE-2014-6500 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551 CVE-2014-6555 CVE-2014-6559 Debian Bug : 765663 Several issues have been discovered in the MySQL database server. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.40-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJURSC7AAoJEAVMuPMTQ89EasQP/RxXHja/33Mofs2nZY2T0c++ BblmAs1D8t1csPTPjPGC2UFrBNWvvKSintqHid1W34ulFQahR+Uw0t6vuNOKoVnh oBnayvOkAl2R6EcMS3DrdEPCgmj6NGC6QNG2Qt43a5tYdR3YCBTCMhPcHoIM6m3J eQH/3UetTKrxvqM0nXNjTcVppdHUzKP3b2W/DRP90X0qtD5DdkqEqh12rCZVBvnO b3AegaZ/PoEnmzqXkLIpRs2Dtx9P/dWeL9vCDZN0X6h+NSJzXYd0YfjfEIYldSXI vKHIXFyno69pelQ7YoUA/+XKyVbvZzPL1STgV9dJtHWUi4TMR9VgIFuJMVaBoNDR YTcfN61CfOkhUI45PhEp+mprlKVwwrLXrR/R5g4dHr28EmdQmvIJOOtxbUJAUd0m y7q5PUuXWuVC54Kjm51m249dNY8IMgBAiIdrvlQyQiOL28Wgc0z2+IWFZnSL8eSH 5l8jKi20x6BYNIKQHWBqt2s4yej39dNaiNnCGqnUUOCzrbpfY1xzP25GPtQo+jVc +1IygdKN8SG3S5FTQcHsND4C2cb3A9Tgf2gwffVrQq0TyQvXQbGjWN+xh4FAhU/D ysAYdd2zPQGd+9OAE/Ja1uMZ2NY/CTzn9y5Or6eTCLpDmNFN28MsvQ9SAkAWVKe8 SgOwAiXo3xRUsGy6UiHm =j4S6 -----END PGP SIGNATURE-----

Trust: 2.25

sources: NVD: CVE-2014-6478 // JVNDB: JVNDB-2014-004813 // BID: 70489 // VULHUB: VHN-74422 // VULMON: CVE-2014-6478 // PACKETSTORM: 128698 // PACKETSTORM: 128759

AFFECTED PRODUCTS

vendor:	oracle	model:	mysql	scope:	lte	version:	5.5.38	Trust: 1.8
vendor:	oracle	model:	mysql	scope:	lte	version:	5.6.19	Trust: 1.8
vendor:	suse	model:	linux enterprise workstation extension	scope:	eq	version:	12	Trust: 1.0
vendor:	mariadb	model:	mariadb	scope:	gte	version:	5.5.0	Trust: 1.0
vendor:	mariadb	model:	mariadb	scope:	gte	version:	10.0.0	Trust: 1.0
vendor:	oracle	model:	mysql	scope:	gte	version:	5.6.0	Trust: 1.0
vendor:	suse	model:	linux enterprise desktop	scope:	eq	version:	12	Trust: 1.0
vendor:	suse	model:	linux enterprise server	scope:	eq	version:	12	Trust: 1.0
vendor:	juniper	model:	junos space	scope:	lte	version:	15.1	Trust: 1.0
vendor:	oracle	model:	mysql	scope:	gte	version:	5.5.0	Trust: 1.0
vendor:	suse	model:	linux enterprise software development kit	scope:	eq	version:	12	Trust: 1.0
vendor:	mariadb	model:	mariadb	scope:	lt	version:	10.0.13	Trust: 1.0
vendor:	mariadb	model:	mariadb	scope:	lt	version:	5.5.39	Trust: 1.0
vendor:	oracle	model:	solaris	scope:	eq	version:	11.3	Trust: 1.0
vendor:	mysql ab	model:	mysql	scope:	lte	version:	5.5.9	Trust: 0.8
vendor:	juniper	model:	junos space	scope:	eq	version:	15.1	Trust: 0.6
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	12.04	Trust: 0.3
vendor:	debian	model:	linux sparc	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux s/390	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux powerpc	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux mips	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux ia-64	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux ia-32	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux arm	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux amd64	scope:	eq	version:	6.0	Trust: 0.3

sources: BID: 70489 // JVNDB: JVNDB-2014-004813 // CNNVD: CNNVD-201410-388 // NVD: CVE-2014-6478

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-6478
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-6478
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201410-388
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-74422
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2014-6478
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-6478
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-74422
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-74422 // VULMON: CVE-2014-6478 // JVNDB: JVNDB-2014-004813 // CNNVD: CNNVD-201410-388 // NVD: CVE-2014-6478

PROBLEMTYPE DATA

problemtype:

NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-6478

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-388

TYPE

Unknown

Trust: 0.3

sources: BID: 70489

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-004813

PATCH

title:	Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices	url:	http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html	Trust: 0.8
title:	Oracle Critical Patch Update Advisory - October 2014	url:	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html	Trust: 0.8
title:	Oracle Solaris Third Party Bulletin - October 2015	url:	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	Trust: 0.8
title:	October 2014 Critical Patch Update Released	url:	https://blogs.oracle.com/security/entry/october_2014_critical_patch_update	Trust: 0.8
title:	JSA10698	url:	http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698&actp=search	Trust: 0.8
title:	mysql-5.5.39	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51843	Trust: 0.6
title:	mysql-5.6.20	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51847	Trust: 0.6
title:	mysql-5.5.39	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51842	Trust: 0.6
title:	mysql-5.6.20	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51846	Trust: 0.6
title:	mysql-5.5.39-osx10.6-x86_64	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51841	Trust: 0.6
title:	mysql-5.6.20-osx10.6-x86_64	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51845	Trust: 0.6
title:	mysql-5.5.39-win32	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51840	Trust: 0.6
title:	mysql-5.6.20-win32	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51844	Trust: 0.6
title:	Red Hat: CVE-2014-6478	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2014-6478	Trust: 0.1
title:	Ubuntu Security Notice: mysql-5.5 vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-2384-1	Trust: 0.1
title:	Debian Security Advisories: DSA-3054-1 mysql-5.5 -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=dc9d1bd54965b02ce0b328f02c7c1489	Trust: 0.1
title:	Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2015	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=92308e3c4d305e91c2eba8c9c6835e83	Trust: 0.1
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2014-6478	Trust: 0.1

sources: VULMON: CVE-2014-6478 // JVNDB: JVNDB-2014-004813 // CNNVD: CNNVD-201410-388

EXTERNAL IDS

db:	NVD	id:	CVE-2014-6478	Trust: 3.1
db:	BID	id:	70489	Trust: 2.1
db:	JUNIPER	id:	JSA10698	Trust: 1.8
db:	JVNDB	id:	JVNDB-2014-004813	Trust: 0.8
db:	CNNVD	id:	CNNVD-201410-388	Trust: 0.7
db:	VULHUB	id:	VHN-74422	Trust: 0.1
db:	VULMON	id:	CVE-2014-6478	Trust: 0.1
db:	PACKETSTORM	id:	128698	Trust: 0.1
db:	PACKETSTORM	id:	128759	Trust: 0.1

sources: VULHUB: VHN-74422 // VULMON: CVE-2014-6478 // BID: 70489 // JVNDB: JVNDB-2014-004813 // PACKETSTORM: 128698 // PACKETSTORM: 128759 // CNNVD: CNNVD-201410-388 // NVD: CVE-2014-6478

REFERENCES

url:	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html	Trust: 2.0
url:	http://www.securityfocus.com/bid/70489	Trust: 1.9
url:	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	Trust: 1.8
url:	http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.html	Trust: 1.8
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10698	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6478	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6478	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6469	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6463	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6478	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6495	Trust: 0.2
url:	http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6491	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6551	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6484	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6500	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6555	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4274	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6496	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6464	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4287	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6505	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6507	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6520	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6559	Trust: 0.2
url:	http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6530	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6494	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2012-5615	Trust: 0.2
url:	http://www.debian.org/security/	Trust: 0.2
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10698	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2014-6478	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2014-6478	Trust: 0.1
url:	https://usn.ubuntu.com/2384-1/	Trust: 0.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=36083	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1	Trust: 0.1
url:	http://www.ubuntu.com/usn/usn-2384-1	Trust: 0.1
url:	http://www.debian.org/security/faq	Trust: 0.1

sources: VULHUB: VHN-74422 // VULMON: CVE-2014-6478 // JVNDB: JVNDB-2014-004813 // PACKETSTORM: 128698 // PACKETSTORM: 128759 // CNNVD: CNNVD-201410-388 // NVD: CVE-2014-6478

CREDITS

Oracle

Trust: 0.3

sources: BID: 70489

SOURCES

db:	VULHUB	id:	VHN-74422
db:	VULMON	id:	CVE-2014-6478
db:	BID	id:	70489
db:	JVNDB	id:	JVNDB-2014-004813
db:	PACKETSTORM	id:	128698
db:	PACKETSTORM	id:	128759
db:	CNNVD	id:	CNNVD-201410-388
db:	NVD	id:	CVE-2014-6478

LAST UPDATE DATE

2024-08-14T12:46:43.275000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-74422	date:	2018-12-18T00:00:00
db:	VULMON	id:	CVE-2014-6478	date:	2022-08-29T00:00:00
db:	BID	id:	70489	date:	2015-04-16T17:42:00
db:	JVNDB	id:	JVNDB-2014-004813	date:	2015-12-02T00:00:00
db:	CNNVD	id:	CNNVD-201410-388	date:	2022-08-30T00:00:00
db:	NVD	id:	CVE-2014-6478	date:	2022-08-29T20:50:12.107

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-74422	date:	2014-10-15T00:00:00
db:	VULMON	id:	CVE-2014-6478	date:	2014-10-15T00:00:00
db:	BID	id:	70489	date:	2014-10-14T00:00:00
db:	JVNDB	id:	JVNDB-2014-004813	date:	2014-10-20T00:00:00
db:	PACKETSTORM	id:	128698	date:	2014-10-15T23:08:56
db:	PACKETSTORM	id:	128759	date:	2014-10-21T00:40:52
db:	CNNVD	id:	CNNVD-201410-388	date:	2014-10-17T00:00:00
db:	NVD	id:	CVE-2014-6478	date:	2014-10-15T15:55:08.790