CVE-2017-3273 Oracle CVE debrief

Who should care

MySQL administrators, database platform owners, SRE/operations teams, and security teams responsible for Oracle MySQL deployments or downstream packages.

Technical summary

NVD maps this issue to CWE-20 and gives CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is in Oracle MySQL Server, subcomponent Server: DDL. According to the CVE description, a low-privileged attacker with network access via multiple protocols can trigger a hang or a frequently repeatable crash, resulting in complete denial of service. NVD lists affected versions as 5.6.34 and earlier, and 5.7.16 and earlier.

Defensive priority

Medium

Recommended defensive actions

• Inventory MySQL servers and confirm whether any instance is running Oracle MySQL 5.6.34 or earlier, or 5.7.16 or earlier.
• Apply the Oracle CPU January 2017 update referenced by the vendor advisory, or the corresponding fixed downstream package from your distribution.
• If you rely on vendor-packaged MySQL, review downstream advisories such as Red Hat or Gentoo to verify the patched package version.
• Restrict network access to MySQL services and limit which low-privileged accounts can reach the server.
• Monitor for unexpected MySQL hangs or repeatable crashes and include this CVE in incident and patch verification checks.

Evidence notes

The CVE description and NVD record both identify Oracle MySQL Server as the affected product and state that the issue can let a low-privileged attacker with network access cause a hang or repeatable crash. NVD lists the vulnerable version ranges as 5.6.34 and earlier, and 5.7.16 and earlier, and assigns CVSS v3.0 6.5 (AV:N/AC:L/PR:L/UI:N/A:H). The Oracle January 2017 CPU advisory is the vendor patch reference in the supplied source corpus.

Official resources