CVE-2017-15365
First published: Mon Dec 11 2017(Updated: )
sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/mariadb-10.1 | <=1:10.1.29-6<=10.1.23-1 | 1:10.1.34-1 10.1.37-0+deb9u1 |
| debian/mariadb-10.0 | ||
| debian/mysql-5.5 | ||
| debian/mysql-5.7 | ||
| debian/percona-xtrabackup | ||
| redhat/mariadb | <10.2.10 | 10.2.10 |
| redhat/mariadb | <10.1.30 | 10.1.30 |
| Fedoraproject Fedora | =26 | |
| Mariadb Mariadb | <10.1.30 | |
| Mariadb Mariadb | >=10.2.0<10.2.10 | |
| Percona XtraDB Cluster | <5.6.37-26.21-3 | |
| Percona XtraDB Cluster | >=5.7.0<5.7.19-29.22-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-15365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
- https://bugzilla.redhat.com/show_bug.cgi?id=1524234
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882909
- https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.1.git/commit/?h=stretch
- https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885345
- https://access.redhat.com/errata/RHSA-2019:1258
- https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ELCZV46WIYSJ6VMC65GMNN3A3QDRUJGK/
- https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
- https://mariadb.com/kb/en/library/mariadb-10210-release-notes/
- https://www.debian.org/security/2018/dsa-4341
- https://www.percona.com/blog/2017/10/30/percona-xtradb-cluster-5-6-37-26-21-3-is-now-available/
- https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html
- https://access.redhat.com/security/cve/CVE-2017-15365
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
- https://mariadb.com/kb/en/library/mariadb-10210-changelog/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1524235
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1524767
- https://mariadb.com/kb/en/library/security/
- https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e?diff=unified
- https://github.com/MariaDB/server/commit/df4dd593f29aec8e2116aec1775ad4b8833d8c93
Frequently Asked Questions
What is CVE-2017-15365?
CVE-2017-15365 is a vulnerability in MariaDB and Percona XtraDB Cluster that allows remote authenticated users to bypass intended access restrictions and replicate data definition language (DDL) statements.
How severe is CVE-2017-15365?
CVE-2017-15365 has a severity score of 8.8, which is considered high.
Which software versions are affected by CVE-2017-15365?
MariaDB versions before 10.1.30 and 10.2.x before 10.2.10, and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 are affected by CVE-2017-15365.
How can I fix CVE-2017-15365?
To fix CVE-2017-15365, you should upgrade your MariaDB version to 10.1.30 or later, or upgrade Percona XtraDB Cluster to 5.6.37-26.21-3 or later.
Where can I find more information about CVE-2017-15365?
You can find more information about CVE-2017-15365 at the following references: [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2019:1258), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1524234), [MariaDB Commit](https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- collector/debian-bugs
- alias/CVE-2017-15365
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/security-tracker-debian
- package-manager/debian
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/26
- vendor/mariadb
- canonical/mariadb mariadb
- version/mariadb mariadb/10.2.0
- vendor/percona
- canonical/percona xtradb cluster
- version/percona xtradb cluster/5.7.0
- package-manager/redhat