CVE-2017-15365
First published: Mon Dec 11 2017(Updated: )
MariaDB have noted in their release notes that reserved <a href="https://access.redhat.com/security/cve/CVE-2017-15365">CVE-2017-15365</a> has been fixed in version 10.2.10[1], however they have not described how or what the vulnerability was. This CVE is also mentioned to affect Percona[2] with the fix is described as: "Added access checks for DDL commands to make sure they do not get replicated if they failed without proper permissions" A comparison with the MariaDB 10.2.10 changelog[3] and Percona description finds this commit[4], which seems a likely candidate for both describing and fixing the vulnerability. The vulnerable code block in sql/event_data_objects.cc is also present in version 10.1, suggesting that it is also affected. [0] <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365</a> [1] <a href="https://mariadb.com/kb/en/library/mariadb-10210-release-notes/">https://mariadb.com/kb/en/library/mariadb-10210-release-notes/</a> [2] <a href="https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html">https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html</a> [3] <a href="https://mariadb.com/kb/en/library/mariadb-10210-changelog/">https://mariadb.com/kb/en/library/mariadb-10210-changelog/</a> [4] <a href="https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e">https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/mariadb-10.1 | <=1:10.1.29-6<=10.1.23-1 | 1:10.1.34-1 10.1.37-0+deb9u1 |
| debian/mariadb-10.0 | ||
| debian/mysql-5.5 | ||
| debian/mysql-5.7 | ||
| debian/percona-xtrabackup | ||
| redhat/mariadb | <10.2.10 | 10.2.10 |
| redhat/mariadb | <10.1.30 | 10.1.30 |
| Fedoraproject Fedora | =26 | |
| Mariadb Mariadb | <10.1.30 | |
| Mariadb Mariadb | >=10.2.0<10.2.10 | |
| Percona XtraDB Cluster | <5.6.37-26.21-3 | |
| Percona XtraDB Cluster | >=5.7.0<5.7.19-29.22-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-15365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
- https://bugzilla.redhat.com/show_bug.cgi?id=1524234
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882909
- https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.1.git/commit/?h=stretch
- https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885345
- https://access.redhat.com/errata/RHSA-2019:1258
- https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ELCZV46WIYSJ6VMC65GMNN3A3QDRUJGK/
- https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
- https://mariadb.com/kb/en/library/mariadb-10210-release-notes/
- https://www.debian.org/security/2018/dsa-4341
- https://www.percona.com/blog/2017/10/30/percona-xtradb-cluster-5-6-37-26-21-3-is-now-available/
- https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html
- https://access.redhat.com/security/cve/CVE-2017-15365
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
- https://mariadb.com/kb/en/library/mariadb-10210-changelog/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1524235
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1524767
- https://mariadb.com/kb/en/library/security/
- https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e?diff=unified
- https://github.com/MariaDB/server/commit/df4dd593f29aec8e2116aec1775ad4b8833d8c93
Frequently Asked Questions
What is CVE-2017-15365?
CVE-2017-15365 is a vulnerability in MariaDB and Percona XtraDB Cluster that allows remote authenticated users to bypass intended access restrictions and replicate data definition language (DDL) statements.
How severe is CVE-2017-15365?
CVE-2017-15365 has a severity score of 8.8, which is considered high.
Which software versions are affected by CVE-2017-15365?
MariaDB versions before 10.1.30 and 10.2.x before 10.2.10, and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 are affected by CVE-2017-15365.
How can I fix CVE-2017-15365?
To fix CVE-2017-15365, you should upgrade your MariaDB version to 10.1.30 or later, or upgrade Percona XtraDB Cluster to 5.6.37-26.21-3 or later.
Where can I find more information about CVE-2017-15365?
You can find more information about CVE-2017-15365 at the following references: [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2019:1258), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1524234), [MariaDB Commit](https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e).
- collector/debian-bugs
- alias/CVE-2017-15365
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/references
- agent/remedy
- agent/author
- agent/severity
- agent/event
- agent/trending
- agent/description
- agent/tags
- agent/source
- package-manager/debian
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/26
- vendor/mariadb
- canonical/mariadb mariadb
- version/mariadb mariadb/10.2.0
- vendor/percona
- canonical/percona xtradb cluster
- version/percona xtradb cluster/5.7.0
- package-manager/redhat