Oracle Releases Advisory Addressing Multiple Security Issues

Photograph of Oracle Building

News of a substantial batch of software vulnerabilities affecting several of Oracle‘s products has come in. In return, a Critical Patch Update Advisory from Oracle for October 2021 was released to the public. The report uncovers details about a vast amount of software vulnerabilities. Furthermore, some security flaws specifically affect the MySQL server, and among the long list of vulnerabilities is one marked as critical. This is not a first-time occurrence for Oracle, as the corporation has had severe issues with server misconfiguration and data breaches in the past. Furthermore, cyberattack attempts directed at the Oracle family of products are a fairly regular occurrence.

About Oracle

Oracle is an American multinational technology corporation that is known for its dominance in the database management systems and database software markets, as well as cloud and enterprise solutions markets. It is one of the largest corporations in the world.

About MySQL

MySQL (My Structured Query Language) is a relational corporate open-source database management solution (RDBMS) designed for the efficient structuring of data. MySQL was first developed by MySQL AB in 1995 and later acquired by Oracle. According to statistics, as of June 2021, Oracle and MySQL DBMS systems own the top spots in the global rankings. MySQL also runs in the background of the majority of websites on the internet.

Multiple Vulnerabilities in MySQL Server

Oracle’s October Security Advisory release report indicates a total of over 400 software vulnerabilities affecting multiple product families. 49 of these vulnerabilities affect the MySQL server.

Details surrounding the single critical MySQL Server vulnerability (CVE-2021-3711) reveal that it is type Buffer Overflow. The weakness can be exploited by remote threats which can lead to complete compromise of an unpatched system.

Technical Details

The vulnerability allows a remote attacker to execute arbitrary code on the target system, existing due to a boundary error in EVP_PKEY_decrypt() function within the implementation of the SM2 decryption. Because of this, a remote attacker can send specially crafted SM2 content for decryption to trigger a buffer overflow by 62 bytes and execute arbitrary code on the target system.

Vulnerable Versions

The following versions of MySQL Server are vulnerable to the above security issues (5.7.35/8.0.26 and earlier);

5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.7.10, 5.7.11, 5.7.12, 5.7.13, 5.7.14, 5.7.15, 5.7.16, 5.7.17, 5.7.18, 5.7.19, 5.7.20, 5.7.21, 5.7.22, 5.7.23, 5.7.24, 5.7.25, 5.7.26, 5.7.27, 5.7.28, 5.7.29, 5.7.30, 5.7.31, 5.7.32, 5.7.33, 5.7.34, 5.7.35, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26

Important User Information

It is important for MySQL users and hosts to know that a large multi-product patch has been released that addresses the issues. The patch/fix is “Critical Patch Update” that “is a collection of patches for multiple security vulnerabilities”. It includes a total of 419 security patches that span several Oracle “product families”.

Oracle has also stated the following critical information; “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible“. More information can be found under the ‘Workarounds‘ section of the Oracle Security Advisory release report linked in the above sections.

More information about the MySQL patches can be found here, while the complete list of fixes can be found here. MySQL Server updates are usually administered by the web host or automatically, however, users can also apply manual MySQL server maintenance in some cases.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.