Multiple MySQL Vulnerabilities


Severity

Medium

Vendor

Cloud Foundry Foundation, MariaDB

Versions Affected
  • MariaDB versions prior to 10.1.17
  • cf-mysql versions prior to v29
Description

The Cloud Foundry MySQL team recently completed an upgrade of MariaDB to 10.1.17, which includes a large number of CVEs, including:

  • Dawid Golunski discovered that MySQL incorrectly handled configuration files. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. (CVE-2016-6662) [1]
  • The full list of CVEs fixed in MariaDB 10.1.17 and earlier versions can be found on their website [2].

Affected Pivotal Products and Versions
  • Pivotal Cloud Foundry Elastic Runtime versions prior to 1.6.41 or 1.7x versions prior to 1.7.23 or 1.8.x versions prior to 1.8.3
  • MySQL for PCF all versions should upgrade to version 1.7.14 OR 1.8.0-edge versions to 1.8.0-edge.10
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to cf-mysql-release v29+ [3]

Users of affected Pivotal product versions should apply the following mitigations:

  • Upgrade PCF Elastic Runtime to 1.6.41 OR 1.7.x versions to 1.7.23 or 1.8.x versions to 1.8.4
  • Upgrade MySQL for PCF to v1.7.14 for all PCF Elastic Runtime versions 1.6 - 1.8+

References