CVE-2018-2696
First published: Fri Nov 03 2017(Updated: )
It was discovered that the MySQL's sha256_password authentication plugin did not restrict the length password received from authenticating client before passing it to the my_crypt_genhash() function. This function implements SHA256 crypt password hashing algorithm that can also be used for hashing passwords in /etc/shadow on Linux systems. The algorithm is computationally intensive, and an excessively long passwords cause mysqld thread handling specific connection to consume all available CPU time. Additionally, the algorithm implementation in MySQL uses alloca() for memory allocation, which does not protect against stack overflow, possibly leading to memory corruption, process crash, and potentially code execution. Note that this issue affects deployments where non-default sha256_password authentication is configured for some or all database users.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle MySQL | >=5.6.0<=5.6.38 | |
| Oracle MySQL | >=5.7.0<=5.7.20 | |
| redhat/mysql | <5.6.39 | 5.6.39 |
| redhat/mysql | <5.7.21 | 5.7.21 |
| debian/mysql-5.5 | ||
| debian/mysql-5.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.securityfocus.com/bid/102701
- http://www.securitytracker.com/id/1040216
- https://access.redhat.com/errata/RHSA-2018:0586
- https://access.redhat.com/errata/RHSA-2018:0587
- https://security.netapp.com/advisory/ntap-20180117-0002/
- https://usn.ubuntu.com/3537-1/
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1348482&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1348482&action=edit
- https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-39.html
- https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html
- https://github.com/mysql/mysql-server/commit/475dcde2c7856dd0050b967099a86c087d94f32f
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL
- https://bugzilla.redhat.com/show_bug.cgi?id=1509475
- https://launchpad.net/bugs/cve/CVE-2018-2696
- https://security-tracker.debian.org/tracker/CVE-2018-2696
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2696
- https://nvd.nist.gov/vuln/detail/CVE-2018-2696
- https://ubuntu.com/security/CVE-2018-2696
- collector/nvd-index
- agent/author
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-2696
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/description
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle mysql
- version/oracle mysql/5.6.0
- version/oracle mysql/5.6.38
- version/oracle mysql/5.7.0
- version/oracle mysql/5.7.20
- package-manager/redhat
- package-manager/debian