Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for mysql-8.0. All fixed in latest CPU: CVE-2022-21569[0]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows low privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21556[1]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.28 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized creation, deletion or modification access to critical | data or all MySQL Server accessible data and unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). | CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H). CVE-2022-21553[2]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21550[3]: | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: | Cluster: General). Supported versions that are affected are 7.4.36 and | prior, 7.5.26 and prior, 7.6.22 and prior and and 8.0.29 and prior. | Difficult to exploit vulnerability allows high privileged attacker | with access to the physical communication segment attached to the | hardware where the MySQL Cluster executes to compromise MySQL Cluster. | Successful attacks require human interaction from a person other than | the attacker. Successful attacks of this vulnerability can result in | takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). CVE-2022-21547[4]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Federated). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21539[5]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.29 and prior. | Difficult to exploit vulnerability allows low privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of MySQL Server accessible | data as well as unauthorized read access to a subset of MySQL Server | accessible data and unauthorized ability to cause a partial denial of | service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 5.0 | (Confidentiality, Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L). CVE-2022-21538[6]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Security: Encryption). Supported versions that are affected | are 8.0.29 and prior. Difficult to exploit vulnerability allows low | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L). CVE-2022-21537[7]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.29 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21535[8]: | Vulnerability in the MySQL Shell product of Oracle MySQL (component: | Shell: General/Core Client). Supported versions that are affected are | 8.0.28 and prior. Difficult to exploit vulnerability allows | unauthenticated attacker with logon to the infrastructure where MySQL | Shell executes to compromise MySQL Shell. Successful attacks require | human interaction from a person other than the attacker. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a partial denial of service (partial DOS) of MySQL Shell. CVSS | 3.1 Base Score 2.5 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). CVE-2022-21534[9]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Stored Procedure). Supported versions that are affected are | 8.0.29 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21531[10]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21530[11]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21529[12]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21528[13]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server as well as unauthorized update, insert | or delete access to some of MySQL Server accessible data. CVSS 3.1 | Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2022-21527[14]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server as well as unauthorized update, insert | or delete access to some of MySQL Server accessible data. CVSS 3.1 | Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2022-21526[15]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21525[16]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21522[17]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Stored Procedure). Supported versions that are affected are | 8.0.29 and prior. Difficult to exploit vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.4 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21519[18]: | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: | Cluster: General). Supported versions that are affected are 8.0.29 and | prior. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | MySQL Cluster. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Cluster. CVSS 3.1 Base Score 5.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21517[19]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.29 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21515[20]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Options). Supported versions that are affected are 5.7.38 and | prior and 8.0.29 and prior. Easily exploitable vulnerability allows | high privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21509[21]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.29 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server as well as unauthorized update, insert | or delete access to some of MySQL Server accessible data. CVSS 3.1 | Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2022-21455[22]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: PAM Auth Plugin). Supported versions that are affected are | 8.0.28 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized creation, deletion or modification access to | critical data or all MySQL Server accessible data. CVSS 3.1 Base Score | 4.9 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-21569 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21569 [1] https://security-tracker.debian.org/tracker/CVE-2022-21556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21556 [2] https://security-tracker.debian.org/tracker/CVE-2022-21553 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21553 [3] https://security-tracker.debian.org/tracker/CVE-2022-21550 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21550 [4] https://security-tracker.debian.org/tracker/CVE-2022-21547 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21547 [5] https://security-tracker.debian.org/tracker/CVE-2022-21539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21539 [6] https://security-tracker.debian.org/tracker/CVE-2022-21538 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21538 [7] https://security-tracker.debian.org/tracker/CVE-2022-21537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21537 [8] https://security-tracker.debian.org/tracker/CVE-2022-21535 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21535 [9] https://security-tracker.debian.org/tracker/CVE-2022-21534 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21534 [10] https://security-tracker.debian.org/tracker/CVE-2022-21531 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21531 [11] https://security-tracker.debian.org/tracker/CVE-2022-21530 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21530 [12] https://security-tracker.debian.org/tracker/CVE-2022-21529 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21529 [13] https://security-tracker.debian.org/tracker/CVE-2022-21528 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21528 [14] https://security-tracker.debian.org/tracker/CVE-2022-21527 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21527 [15] https://security-tracker.debian.org/tracker/CVE-2022-21526 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21526 [16] https://security-tracker.debian.org/tracker/CVE-2022-21525 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21525 [17] https://security-tracker.debian.org/tracker/CVE-2022-21522 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21522 [18] https://security-tracker.debian.org/tracker/CVE-2022-21519 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21519 [19] https://security-tracker.debian.org/tracker/CVE-2022-21517 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21517 [20] https://security-tracker.debian.org/tracker/CVE-2022-21515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21515 [21] https://security-tracker.debian.org/tracker/CVE-2022-21509 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21509 [22] https://security-tracker.debian.org/tracker/CVE-2022-21455 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21455 Please adjust the affected versions in the BTS as needed.