CVE-2017-3265 Redhat CVE debrief

Who should care

Database administrators and infrastructure teams running Oracle MySQL 5.5.53/5.6.34/5.7.16 or earlier, plus operators of affected downstream packages listed by NVD for Red Hat, Debian, and MariaDB.

Technical summary

NVD classifies the issue as a local attack requiring high privileges and user interaction (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:H). The affected component is MySQL Server: Packaging. The reported impact is confidentiality and availability loss: unauthorized access to critical data or complete MySQL-accessible data, and the ability to hang or repeatedly crash the server.

Defensive priority

Medium. Prioritize remediation if the affected MySQL versions are deployed on shared hosts or anywhere privileged local access is available, because exploitation still requires significant attacker access but can lead to serious data exposure or denial of service.

Recommended defensive actions

• Confirm whether any Oracle MySQL installation is at or below 5.5.53, 5.6.34, or 5.7.16, and inventory any downstream Red Hat, Debian, or MariaDB packages mapped in NVD.
• Apply the Oracle CPU January 2017 update or the corresponding vendor/distro errata for your platform.
• Restrict and audit local administrative access to database hosts, because the vulnerability requires a highly privileged login on the infrastructure where MySQL executes.
• Review monitoring and alerting for MySQL crashes, hangs, and unexpected restarts on affected systems.
• Track downstream advisory guidance from your Linux distribution or database vendor before and after upgrading to confirm the issue is fully remediated.

Evidence notes

This debrief is based on the CVE record and NVD metadata supplied in the corpus. The description states the vulnerability affects Oracle MySQL Server component packaging and that exploitation requires a high-privilege attacker with local logon plus human interaction. NVD lists affected Oracle MySQL version ranges (5.5.53 and earlier, 5.6.34 and earlier, 5.7.16 and earlier) and also maps related downstream package CPEs for Red Hat Enterprise Linux, Debian 8.0, and MariaDB. The provided CVSS vector is CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:H.

Official resources