CVE-2017-3291 Redhat CVE debrief

Who should care

Database administrators, Linux/package maintainers, and security teams running affected Oracle MySQL releases or downstream packaged builds should review this CVE, especially in environments where privileged local logon is broadly available.

Technical summary

The NVD record lists affected Oracle MySQL versions as 5.5.53 and earlier, 5.6.34 and earlier, and 5.7.16 and earlier. The CVSS v3.1 vector is AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H, which matches the description: local access, high privileges, and user interaction are required before compromise can occur. Successful exploitation can result in takeover of MySQL Server.

Defensive priority

Medium. The base score is 6.3, but the local, high-privilege, user-assisted attack path means the practical risk is greatest on systems with delegated admin access, shared infrastructure, or weaker change-control around privileged logon.

Recommended defensive actions

• Confirm the installed MySQL Server version and upgrade any affected 5.5.53-and-earlier, 5.6.34-and-earlier, or 5.7.16-and-earlier deployments to a vendor-fixed release.
• Apply Oracle's January 2017 Critical Patch Update and any relevant downstream package errata for your distribution.
• Restrict privileged local logon to MySQL hosts and review who can interact with the system as a high-privileged user.
• If you consume packaged MySQL from a Linux distribution, verify the corresponding distro advisory and ensure the patched package revision is installed.
• Prioritize remediation on multi-user systems and managed hosting environments where the required local-privilege and user-interaction conditions are easier to satisfy.

Evidence notes

The supplied NVD metadata states: vulnerability in the MySQL Server component of Oracle MySQL, subcomponent Server: Packaging; affected versions are 5.5.53 and earlier, 5.6.34 and earlier, and 5.7.16 and earlier. It also states that exploitation requires a high-privileged attacker with logon to the infrastructure where MySQL Server executes and human interaction from another person. The recorded CVSS v3.1 vector is AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. NVD references Oracle's January 2017 CPU advisory and downstream Debian and Red Hat advisories, which supports remediation through vendor or distribution package updates.

Official resources