Oracle MySQL Cluster up to 8.0.19 Cluster: General denial of service

Summaryinfo

A vulnerability was found in Oracle MySQL Cluster up to 7.3.28/7.4.27/7.5.17/7.6.13/8.0.19. It has been declared as critical. Affected by this issue is some unknown functionality of the component Cluster: General. Such manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2020-2768. The attack can be launched remotely. No exploit exists. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in Oracle MySQL Cluster up to 7.3.28/7.4.27/7.5.17/7.6.13/8.0.19 (Database Software) and classified as critical. Affected by this issue is some unknown processing of the component Cluster: General. The manipulation with an unknown input leads to a denial of service vulnerability. Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. Impacted is integrity, and availability. CVE summarizes:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Cluster as well as unauthorized update, insert or delete access to some of MySQL Cluster accessible data. CVSS 3.0 Base Score 6.3 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H).

The weakness was disclosed 04/15/2020 as Oracle Critical Patch Update Advisory - April 2020 as confirmed advisory (Website). The advisory is shared for download at oracle.com. This vulnerability is handled as CVE-2020-2768. The attack may be launched remotely. Required for exploitation is a simple authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1499.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries VDB-153686, VDB-153290, VDB-153291 and VDB-153293 are pretty similar. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Database Software

Vendor

• Oracle

Name

• MySQL Cluster

Version

• 7.3.0
• 7.3.1
• 7.3.2
• 7.3.3
• 7.3.4
• 7.3.5
• 7.3.6
• 7.3.7
• 7.3.8
• 7.3.9
• 7.3.10
• 7.3.11
• 7.3.12
• 7.3.13
• 7.3.14
• 7.3.15
• 7.3.16
• 7.3.17
• 7.3.18
• 7.3.19
• 7.3.20
• 7.3.21
• 7.3.22
• 7.3.23
• 7.3.24
• 7.3.25
• 7.3.26
• 7.3.27
• 7.3.28
• 7.4.0
• 7.4.1
• 7.4.2
• 7.4.3
• 7.4.4
• 7.4.5
• 7.4.6
• 7.4.7
• 7.4.8
• 7.4.9
• 7.4.10
• 7.4.11
• 7.4.12
• 7.4.13
• 7.4.14
• 7.4.15
• 7.4.16
• 7.4.17
• 7.4.18
• 7.4.19
• 7.4.20
• 7.4.21
• 7.4.22
• 7.4.23
• 7.4.24
• 7.4.25
• 7.4.26
• 7.4.27
• 7.5.0
• 7.5.1
• 7.5.2
• 7.5.3
• 7.5.4
• 7.5.5
• 7.5.6
• 7.5.7
• 7.5.8
• 7.5.9
• 7.5.10
• 7.5.11
• 7.5.12
• 7.5.13
• 7.5.14
• 7.5.15
• 7.5.16
• 7.5.17
• 7.6.0
• 7.6.1
• 7.6.2
• 7.6.3
• 7.6.4
• 7.6.5
• 7.6.6
• 7.6.7
• 7.6.8
• 7.6.9
• 7.6.10
• 7.6.11
• 7.6.12
• 7.6.13
• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.0.5
• 8.0.6
• 8.0.7
• 8.0.8
• 8.0.9
• 8.0.10
• 8.0.11
• 8.0.12
• 8.0.13
• 8.0.14
• 8.0.15
• 8.0.16
• 8.0.17
• 8.0.18
• 8.0.19

License

• open-source

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion