Bugzilla – Bug 1198607
VUL-0: CVE-2022-27381: mariadb,mariadb-100: server crash at Field:set_default via specially crafted SQL statements.
Last modified: 2022-12-20 11:04:44 UTC
rh#2074981 An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. https://jira.mariadb.org/browse/MDEV-26061 References: https://bugzilla.redhat.com/show_bug.cgi?id=2074981 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27381 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27381 https://jira.mariadb.org/browse/MDEV-26061
There is no fix yet, we contacted upstream and they want to fix it in the upcoming releases. These CVEs are part of the bunch with no fix, I opened bugs for all of them seperately: > CVE-2022-27377 https://bugzilla.suse.com/show_bug.cgi?id=1198603 > CVE-2022-27378 https://bugzilla.suse.com/show_bug.cgi?id=1198604 > CVE-2022-27379 https://bugzilla.suse.com/show_bug.cgi?id=1198605 > CVE-2022-27380 https://bugzilla.suse.com/show_bug.cgi?id=1198606 > CVE-2022-27381 https://bugzilla.suse.com/show_bug.cgi?id=1198607 > CVE-2022-27382 https://bugzilla.suse.com/show_bug.cgi?id=1198609 > CVE-2022-27383 https://bugzilla.suse.com/show_bug.cgi?id=1198610 > CVE-2022-27384 https://bugzilla.suse.com/show_bug.cgi?id=1198611 > CVE-2022-27386 https://bugzilla.suse.com/show_bug.cgi?id=1198612 > CVE-2022-27387 https://bugzilla.suse.com/show_bug.cgi?id=1198613
Affected: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/mariadb 10.2.31 - SUSE:SLE-12-SP4:Update/mariadb 10.2.39 - SUSE:SLE-15:Update/mariadb 10.2.43 - SUSE:SLE-15-SP2:Update/mariadb 10.4.14 - SUSE:SLE-15-SP3:Update/mariadb 10.5.15 - SUSE:SLE-15-SP4:Update/mariadb 10.6.7 - openSUSE:Factory/mariadb 10.7.3 Not Affected: - SUSE:SLE-12-SP1:Update/mariadb 10.0.40.4 - SUSE:SLE-12-SP4:Update/mariadb-100 10.0.40
SUSE-SU-2022:2003-1: An update that fixes 25 vulnerabilities is now available. Category: security (important) Bug References: 1198603,1198604,1198605,1198606,1198607,1198609,1198610,1198611,1198612,1198613,1198628,1198629,1198630,1198631,1198632,1198633,1198634,1198635,1198636,1198637,1198638,1198639,1198640,1199928 CVE References: CVE-2021-46669,CVE-2022-21427,CVE-2022-27376,CVE-2022-27377,CVE-2022-27378,CVE-2022-27379,CVE-2022-27380,CVE-2022-27381,CVE-2022-27382,CVE-2022-27383,CVE-2022-27384,CVE-2022-27386,CVE-2022-27387,CVE-2022-27444,CVE-2022-27445,CVE-2022-27446,CVE-2022-27447,CVE-2022-27448,CVE-2022-27449,CVE-2022-27451,CVE-2022-27452,CVE-2022-27455,CVE-2022-27456,CVE-2022-27457,CVE-2022-27458 JIRA References: Sources used: openSUSE Leap 15.3 (src): mariadb-10.5.16-150300.3.18.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): mariadb-10.5.16-150300.3.18.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): mariadb-10.5.16-150300.3.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2107-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1198603,1198604,1198606,1198607,1198610,1198611,1198612,1198613,1198629,1199928 CVE References: CVE-2021-46669,CVE-2022-21427,CVE-2022-27377,CVE-2022-27378,CVE-2022-27380,CVE-2022-27381,CVE-2022-27383,CVE-2022-27384,CVE-2022-27386,CVE-2022-27387,CVE-2022-27445 JIRA References: Sources used: openSUSE Leap 15.4 (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise Server for SAP 15 (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise Server 15-LTSS (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): mariadb-10.2.44-150000.3.54.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): mariadb-10.2.44-150000.3.54.1 SUSE Enterprise Storage 6 (src): mariadb-10.2.44-150000.3.54.1 SUSE CaaS Platform 4.0 (src): mariadb-10.2.44-150000.3.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2160-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1198603,1198604,1198606,1198607,1198610,1198611,1198612,1198613,1198629,1199928 CVE References: CVE-2021-46669,CVE-2022-21427,CVE-2022-27377,CVE-2022-27378,CVE-2022-27380,CVE-2022-27381,CVE-2022-27383,CVE-2022-27384,CVE-2022-27386,CVE-2022-27387,CVE-2022-27445 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): mariadb-10.2.44-3.50.1 SUSE OpenStack Cloud 9 (src): mariadb-10.2.44-3.50.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): mariadb-10.2.44-3.50.1 SUSE Linux Enterprise Server 12-SP5 (src): mariadb-10.2.44-3.50.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): mariadb-10.2.44-3.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2189-1: An update that fixes 25 vulnerabilities is now available. Category: security (important) Bug References: 1198603,1198604,1198605,1198606,1198607,1198609,1198610,1198611,1198612,1198613,1198628,1198629,1198630,1198631,1198632,1198633,1198634,1198635,1198636,1198637,1198638,1198639,1198640,1199928 CVE References: CVE-2021-46669,CVE-2022-21427,CVE-2022-27376,CVE-2022-27377,CVE-2022-27378,CVE-2022-27379,CVE-2022-27380,CVE-2022-27381,CVE-2022-27382,CVE-2022-27383,CVE-2022-27384,CVE-2022-27386,CVE-2022-27387,CVE-2022-27444,CVE-2022-27445,CVE-2022-27446,CVE-2022-27447,CVE-2022-27448,CVE-2022-27449,CVE-2022-27451,CVE-2022-27452,CVE-2022-27455,CVE-2022-27456,CVE-2022-27457,CVE-2022-27458 JIRA References: Sources used: SUSE Manager Server 4.1 (src): mariadb-10.4.25-150200.3.28.1 SUSE Manager Retail Branch Server 4.1 (src): mariadb-10.4.25-150200.3.28.1 SUSE Manager Proxy 4.1 (src): mariadb-10.4.25-150200.3.28.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): mariadb-10.4.25-150200.3.28.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): mariadb-10.4.25-150200.3.28.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): mariadb-10.4.25-150200.3.28.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): mariadb-10.4.25-150200.3.28.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): mariadb-10.4.25-150200.3.28.1 SUSE Enterprise Storage 7 (src): mariadb-10.4.25-150200.3.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2561-1: An update that fixes 36 vulnerabilities, contains one feature is now available. Category: security (important) Bug References: 1195076,1195325,1195334,1195339,1196016,1198603,1198604,1198605,1198606,1198607,1198609,1198610,1198611,1198612,1198613,1198628,1198629,1198630,1198631,1198632,1198633,1198634,1198635,1198636,1198637,1198638,1198639,1198640,1199928 CVE References: CVE-2021-46657,CVE-2021-46658,CVE-2021-46659,CVE-2021-46661,CVE-2021-46663,CVE-2021-46664,CVE-2021-46665,CVE-2021-46668,CVE-2021-46669,CVE-2022-24048,CVE-2022-24050,CVE-2022-24051,CVE-2022-24052,CVE-2022-27376,CVE-2022-27377,CVE-2022-27378,CVE-2022-27379,CVE-2022-27380,CVE-2022-27381,CVE-2022-27382,CVE-2022-27383,CVE-2022-27384,CVE-2022-27386,CVE-2022-27387,CVE-2022-27444,CVE-2022-27445,CVE-2022-27446,CVE-2022-27447,CVE-2022-27448,CVE-2022-27449,CVE-2022-27451,CVE-2022-27452,CVE-2022-27455,CVE-2022-27456,CVE-2022-27457,CVE-2022-27458 JIRA References: SLE-22245 Sources used: openSUSE Leap 15.4 (src): mariadb-10.6.8-150400.3.7.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): mariadb-10.6.8-150400.3.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done