CVE-2017-3317 Redhat CVE debrief

Who should care

Database administrators and platform teams running Oracle MySQL 5.5.53 and earlier, 5.6.34 and earlier, or 5.7.16 and earlier should review their exposure. Operators of downstream Linux packages referenced by NVD advisories, including Debian and Red Hat systems, should also confirm whether their packaged MySQL/MariaDB builds include the fix.

Technical summary

NVD classifies the issue with CVSS 3.1 vector CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H. The affected area is the MySQL Server logging subcomponent. The impact is availability-only: an attacker with high local privileges and a human interaction dependency may be able to trigger a complete DoS by causing a hang or frequently repeatable crash. NVD lists affected Oracle MySQL ranges up to 5.5.53, 5.6.34, and 5.7.16, and also maps some downstream Debian, Red Hat, and MariaDB package CPEs.

Defensive priority

Medium. The privilege and interaction requirements reduce exposure, but the outcome is a full service outage, so patching should be scheduled promptly for any environment where privileged local users or shared administration paths exist.

Recommended defensive actions

• Verify the installed MySQL or packaged MariaDB version against the affected ranges listed by NVD and apply the vendor-fixed build.
• Use the Oracle CPU Jan 2017 advisory and downstream Debian/Red Hat package advisories to confirm the correct remediation for your distribution.
• Limit who can obtain shell access or other high-privilege local access on database hosts, since exploitation requires privileged local access.
• Review operational resilience for MySQL availability, including monitoring and recovery procedures for hangs or repeatable crashes.
• After updating, confirm the service starts cleanly and that the installed package version is outside the affected ranges.

Evidence notes

The core evidence comes from the NVD record and the Oracle CPU Jan 2017 reference listed there. NVD states the issue affects the MySQL Server logging component and describes the impact as a hang or repeatable crash causing complete DoS. The NVD CVSS vector shows local, high-privilege, user-interaction-required exploitation with availability-only impact. NVD also includes downstream Debian and Red Hat advisory references and package CPE mappings, so affected deployments may include vendor-packaged database builds in addition to Oracle MySQL releases.

Official resources