819660 – (CVE-2021-35584, CVE-2021-35590, CVE-2021-35592, CVE-2021-35593, CVE-2021-35594, CVE-2021-35598, CVE-2021-35613, CVE-2021-35618, CVE-2021-35621) dev-db/mysql-cluster: multiple vulnerabilities

Bug 819660 (CVE-2021-35584, CVE-2021-35590, CVE-2021-35592, CVE-2021-35593, CVE-2021-35594, CVE-2021-35598, CVE-2021-35613, CVE-2021-35618, CVE-2021-35621) - dev-db/mysql-cluster: multiple vulnerabilities

Summary: dev-db/mysql-cluster: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2021-35584, CVE-2021-35590, CVE-2021-35592, CVE-2021-35593, CVE-2021-35594, CVE-2021-35598, CVE-2021-35613, CVE-2021-35618, CVE-2021-35621

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.oracle.com/security-alert...
Whiteboard:	~3 [noglsa]
Keywords:	PMASKED

Depends on:	834113
Blocks:
	Show dependency tree

Reported:	2021-10-23 13:36 UTC by John Helmert III
Modified:	2022-04-13 14:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-10-23 13:36:55 UTC

CVE-2021-22931 (https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/):

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

CVE-2021-35584:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: ndbcluster/plugin DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

CVE-2021-35590:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2021-35592:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2021-35593:

CVE-2021-35594:

CVE-2021-35598:

CVE-2021-35613:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2021-35618:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 1.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L).

CVE-2021-35621:

Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2022-03-11 14:44:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efc70d2d8a5e6eb1d891faa922ebc513e422a896

commit efc70d2d8a5e6eb1d891faa922ebc513e422a896
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-11 14:43:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-11 14:44:17 +0000

    profiles: last-rite dev-db/mysql-cluster
    
    Bug: https://bugs.gentoo.org/834113
    Bug: https://bugs.gentoo.org/638856
    Bug: https://bugs.gentoo.org/675986
    Bug: https://bugs.gentoo.org/693564
    Bug: https://bugs.gentoo.org/741548
    Bug: https://bugs.gentoo.org/746710
    Bug: https://bugs.gentoo.org/750776
    Bug: https://bugs.gentoo.org/781281
    Bug: https://bugs.gentoo.org/801697
    Bug: https://bugs.gentoo.org/805521
    Bug: https://bugs.gentoo.org/819660
    Bug: https://bugs.gentoo.org/829342
    Bug: https://bugs.gentoo.org/831445
    Bug: https://bugs.gentoo.org/833523
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2022-04-13 05:55:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09e310df2857835d3298359785d695c5fb9d60ee

commit 09e310df2857835d3298359785d695c5fb9d60ee
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-13 05:51:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-13 05:54:57 +0000

    dev-db/mysql-cluster: treeclean
    
    Closes: https://bugs.gentoo.org/834113
    Closes: https://bugs.gentoo.org/829342
    Closes: https://bugs.gentoo.org/833523
    Closes: https://bugs.gentoo.org/693564
    Closes: https://bugs.gentoo.org/741548
    Closes: https://bugs.gentoo.org/746710
    Closes: https://bugs.gentoo.org/781281
    Closes: https://bugs.gentoo.org/638856
    Closes: https://bugs.gentoo.org/675986
    Closes: https://bugs.gentoo.org/831445
    Closes: https://bugs.gentoo.org/750776
    Closes: https://bugs.gentoo.org/801697
    Closes: https://bugs.gentoo.org/805521
    Bug: https://bugs.gentoo.org/819660
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mysql-cluster/Manifest                    |   2 -
 dev-db/mysql-cluster/files/my.cnf-5.6            | 139 ----
 dev-db/mysql-cluster/metadata.xml                |  19 -
 dev-db/mysql-cluster/mysql-cluster-7.4.21.ebuild | 811 -----------------------
 4 files changed, 971 deletions(-)

Comment 3 John Helmert III archtester

2022-04-13 14:36:18 UTC

All done!