Multiple MySQL Vulnerabilities
Severity
Medium
Vendor
Cloud Foundry Foundation, MariaDB
Versions Affected
- MariaDB versions prior to 10.1.17
- cf-mysql versions prior to v29
Description
The Cloud Foundry MySQL team recently completed an upgrade of MariaDB to 10.1.17, which includes a large number of CVEs, including:
- Dawid Golunski discovered that MySQL incorrectly handled configuration files. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. (CVE-2016-6662) [1]
- The full list of CVEs fixed in MariaDB 10.1.17 and earlier versions can be found on their website [2].
Affected VMware Products and Versions
- Pivotal Cloud Foundry Elastic Runtime versions prior to 1.6.41 or 1.7x versions prior to 1.7.23 or 1.8.x versions prior to 1.8.3
- MySQL for PCF all versions should upgrade to version 1.7.14 OR 1.8.0-edge versions to 1.8.0-edge.10
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to cf-mysql-release v29+ [3]
Users of affected Pivotal product versions should apply the following mitigations:
- Upgrade PCF Elastic Runtime to 1.6.41 OR 1.7.x versions to 1.7.23 or 1.8.x versions to 1.8.4
- Upgrade MySQL for PCF to v1.7.14 for all PCF Elastic Runtime versions 1.6 - 1.8+