製品・ソフトウェアに関する情報

JVN脆弱性詳細

MySQL で使用される yaSSL における複数のバッファオーバーフローの脆弱性

Title	MySQL で使用される yaSSL における複数のバッファオーバーフローの脆弱性
Summary	MySQL で使用されている yaSSL には、handshake.cpp の ProcessOldClientHello() 関数および yassl_imp.cpp の “input_buffer& operator»” に不備があり、バッファオーバーフローが発生する脆弱性が存在します。
Possible impacts	第三者により任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 10, 2008, midnight
Registration Date	Feb. 5, 2008, 4 p.m.
Last Update	Feb. 19, 2010, 11:32 a.m.

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

MySQL AB

MySQL 5.1.23 未満

MySQL Community Server 5.0.51a 未満

MySQL Enterprise Server 5.0.50sp1a 未満

MySQL Enterprise Server 5.0.54a 未満

アップル

Apple Mac OS X Server v10.5.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-0226	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226
National Vulnerability Database (NVD)
2	CVE-2008-0226	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0226

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT3216	http://support.apple.com/kb/HT3216
Apple セキュリティアップデート
2	HT3216	http://support.apple.com/kb/HT3216?viewlocale=ja_JP
MySQL Documentation
3	Changes in MySQL 5.1.23	http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html
4	releasenotes-cs-5-0-51a	http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-51a.html
5	releasenotes-es-5-0-50sp1a	http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-50sp1a.html
6	releasenotes-es-5-0-54a	http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-54a.html

その他

No	Name	URL
FrSIRT Advisories
1	FrSIRT/ADV-2008-0560	http://www.frsirt.com/english/advisories/2008/0560
Secunia Advisory
2	SA28324	http://secunia.com/advisories/28324/
3	SA28419	http://secunia.com/advisories/28419/
SecurityFocus
4	27140	http://www.securityfocus.com/bid/27140

Change Log

No	Changed Details	Date of change
0	[2008年02月05日] 掲載 [2008年06月17日] 影響を受けるシステム：MySQL AB (releasenotes-es-5-0-50sp1a) の情報を追加ベンダ情報：MySQL AB (releasenotes-es-5-0-50sp1a) を追加 [2008年10月31日] 影響を受けるシステム：アップル（HT3216）の情報を追加ベンダ情報：アップル（HT3216）を追加 [2010年02月19日] 影響を受けるシステム：MySQL AB（Changes in MySQL 5.1.23）の情報を追加ベンダ情報：MySQL AB（Changes in MySQL 5.1.23）を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-0226

Summary	Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
Publication Date	Jan. 11, 2008, 8:46 a.m.
Registration Date	Jan. 29, 2021, 1:30 p.m.
Last Update	Dec. 18, 2019, 5:26 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:yassl:yassl::::::::			1.7.5

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:mysql:mysql:5.0.0:::::::*
cpe:2.3:a:mysql:mysql:5.0.1:::::::*
cpe:2.3:a:mysql:mysql:5.0.2:::::::*
cpe:2.3:a:mysql:mysql:5.0.3:::::::*
cpe:2.3:a:mysql:mysql:5.0.4:::::::*
cpe:2.3:a:mysql:mysql:5.0.5:::::::*
cpe:2.3:a:mysql:mysql:5.0.10:::::::*
cpe:2.3:a:mysql:mysql:5.0.15:::::::*
cpe:2.3:a:mysql:mysql:5.0.16:::::::*
cpe:2.3:a:mysql:mysql:5.0.17:::::::*
cpe:2.3:a:mysql:mysql:5.0.20:::::::*
cpe:2.3:a:mysql:mysql:5.0.24:::::::*
cpe:2.3:a:mysql:mysql:5.0.30:::::::*
cpe:2.3:a:mysql:mysql:5.0.36:::::::*
cpe:2.3:a:mysql:mysql:5.0.44:::::::*
cpe:2.3:a:mysql:mysql:5.0.54:::::::*
cpe:2.3:a:mysql:mysql:5.0.56:::::::*
cpe:2.3:a:mysql:mysql:5.0.60:::::::*
cpe:2.3:a:mysql:mysql:5.0.66:::::::*
cpe:2.3:a:mysql:mysql:5.1.5:::::::*
cpe:2.3:a:oracle:mysql:5.0.23:::::::*
cpe:2.3:a:oracle:mysql:5.0.25:::::::*
cpe:2.3:a:oracle:mysql:5.0.26:::::::*
cpe:2.3:a:oracle:mysql:5.0.28:::::::*
cpe:2.3:a:oracle:mysql:5.0.30:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.32:::::::*
cpe:2.3:a:oracle:mysql:5.0.34:::::::*
cpe:2.3:a:oracle:mysql:5.0.36:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.38:::::::*
cpe:2.3:a:oracle:mysql:5.0.40:::::::*
cpe:2.3:a:oracle:mysql:5.0.41:::::::*
cpe:2.3:a:oracle:mysql:5.0.42:::::::*
cpe:2.3:a:oracle:mysql:5.0.44:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.45:::::::*
cpe:2.3:a:oracle:mysql:5.0.46:::::::*
cpe:2.3:a:oracle:mysql:5.0.48:::::::*
cpe:2.3:a:oracle:mysql:5.0.50:::::::*
cpe:2.3:a:oracle:mysql:5.0.50:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.51:::::::*
cpe:2.3:a:oracle:mysql:5.0.52:::::::*
cpe:2.3:a:oracle:mysql:5.0.56:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.58:::::::*
cpe:2.3:a:oracle:mysql:5.0.60:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.62:::::::*
cpe:2.3:a:oracle:mysql:5.0.64:::::::*
cpe:2.3:a:oracle:mysql:5.0.66:sp1::::::
cpe:2.3:a:oracle:mysql:5.1:::::::*
cpe:2.3:a:oracle:mysql:5.1.1:::::::*
cpe:2.3:a:oracle:mysql:5.1.2:::::::*
cpe:2.3:a:oracle:mysql:5.1.3:::::::*
cpe:2.3:a:oracle:mysql:5.1.4:::::::*
cpe:2.3:a:oracle:mysql:5.1.6:::::::*
cpe:2.3:a:oracle:mysql:5.1.7:::::::*
cpe:2.3:a:oracle:mysql:5.1.8:::::::*
cpe:2.3:a:oracle:mysql:5.1.9:::::::*
cpe:2.3:a:oracle:mysql:5.1.10:::::::*
cpe:2.3:a:oracle:mysql:5.1.11:::::::*
cpe:2.3:a:oracle:mysql:5.1.12:::::::*
cpe:2.3:a:oracle:mysql:5.1.13:::::::*
cpe:2.3:a:oracle:mysql:5.1.14:::::::*
cpe:2.3:a:oracle:mysql:5.1.15:::::::*
cpe:2.3:a:oracle:mysql:5.1.16:::::::*
cpe:2.3:a:oracle:mysql:5.1.17:::::::*
cpe:2.3:a:oracle:mysql:5.1.18:::::::*
cpe:2.3:a:oracle:mysql:5.1.19:::::::*
cpe:2.3:a:oracle:mysql:5.1.20:::::::*
cpe:2.3:a:oracle:mysql:5.1.21:::::::*
cpe:2.3:a:oracle:mysql:5.1.22:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x:10.5.4:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:5.0:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://bugs.mysql.com/33814	CONFIRM	Permissions Required
2	http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html	CONFIRM	Not Applicable
3	http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	APPLE	Mailing List Third Party Advisory
4	http://secunia.com/advisories/28324	SECUNIA	Not Applicable
5	http://secunia.com/advisories/28419	SECUNIA	Not Applicable
6	http://secunia.com/advisories/28597	SECUNIA	Not Applicable
7	http://secunia.com/advisories/29443	SECUNIA	Not Applicable
8	http://secunia.com/advisories/32222	SECUNIA	Not Applicable
9	http://securityreason.com/securityalert/3531	SREASON	Third Party Advisory
10	http://support.apple.com/kb/HT3216	CONFIRM	Third Party Advisory
11	http://www.debian.org/security/2008/dsa-1478	DEBIAN	Third Party Advisory
12	http://www.mandriva.com/security/advisories?name=MDVSA-2008:150	MANDRIVA	Broken Link
13	http://www.securityfocus.com/archive/1/485810/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
14	http://www.securityfocus.com/archive/1/485811/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
15	http://www.securityfocus.com/bid/27140	BID	Third Party Advisory VDB Entry
16	http://www.securityfocus.com/bid/31681	BID	Third Party Advisory VDB Entry
17	http://www.ubuntu.com/usn/usn-588-1	UBUNTU	Third Party Advisory
18	http://www.vupen.com/english/advisories/2008/0560/references	VUPEN	Permissions Required
19	http://www.vupen.com/english/advisories/2008/2780	VUPEN	Permissions Required
20	https://exchange.xforce.ibmcloud.com/vulnerabilities/39429	XF	VDB Entry
21	https://exchange.xforce.ibmcloud.com/vulnerabilities/39431	XF	VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:mysql:mysql:5.0.0:::::::*
cpe:2.3:a:mysql:mysql:5.0.1:::::::*
cpe:2.3:a:mysql:mysql:5.0.2:::::::*
cpe:2.3:a:mysql:mysql:5.0.3:::::::*
cpe:2.3:a:mysql:mysql:5.0.4:::::::*
cpe:2.3:a:mysql:mysql:5.0.5:::::::*
cpe:2.3:a:mysql:mysql:5.0.10:::::::*
cpe:2.3:a:mysql:mysql:5.0.15:::::::*
cpe:2.3:a:mysql:mysql:5.0.16:::::::*
cpe:2.3:a:mysql:mysql:5.0.17:::::::*
cpe:2.3:a:mysql:mysql:5.0.20:::::::*
cpe:2.3:a:mysql:mysql:5.0.24:::::::*
cpe:2.3:a:mysql:mysql:5.0.30:::::::*
cpe:2.3:a:mysql:mysql:5.0.36:::::::*
cpe:2.3:a:mysql:mysql:5.0.44:::::::*
cpe:2.3:a:mysql:mysql:5.0.54:::::::*
cpe:2.3:a:mysql:mysql:5.0.56:::::::*
cpe:2.3:a:mysql:mysql:5.0.60:::::::*
cpe:2.3:a:mysql:mysql:5.0.66:::::::*
cpe:2.3:a:mysql:mysql:5.1.5:::::::*
cpe:2.3:a:oracle:mysql:5.0.23:::::::*
cpe:2.3:a:oracle:mysql:5.0.25:::::::*
cpe:2.3:a:oracle:mysql:5.0.26:::::::*
cpe:2.3:a:oracle:mysql:5.0.28:::::::*
cpe:2.3:a:oracle:mysql:5.0.30:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.32:::::::*
cpe:2.3:a:oracle:mysql:5.0.34:::::::*
cpe:2.3:a:oracle:mysql:5.0.36:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.38:::::::*
cpe:2.3:a:oracle:mysql:5.0.40:::::::*
cpe:2.3:a:oracle:mysql:5.0.41:::::::*
cpe:2.3:a:oracle:mysql:5.0.42:::::::*
cpe:2.3:a:oracle:mysql:5.0.44:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.45:::::::*
cpe:2.3:a:oracle:mysql:5.0.46:::::::*
cpe:2.3:a:oracle:mysql:5.0.48:::::::*
cpe:2.3:a:oracle:mysql:5.0.50:::::::*
cpe:2.3:a:oracle:mysql:5.0.50:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.51:::::::*
cpe:2.3:a:oracle:mysql:5.0.52:::::::*
cpe:2.3:a:oracle:mysql:5.0.56:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.58:::::::*
cpe:2.3:a:oracle:mysql:5.0.60:sp1::::::
cpe:2.3:a:oracle:mysql:5.0.62:::::::*
cpe:2.3:a:oracle:mysql:5.0.64:::::::*
cpe:2.3:a:oracle:mysql:5.0.66:sp1::::::
cpe:2.3:a:oracle:mysql:5.1:::::::*
cpe:2.3:a:oracle:mysql:5.1.1:::::::*
cpe:2.3:a:oracle:mysql:5.1.2:::::::*
cpe:2.3:a:oracle:mysql:5.1.3:::::::*
cpe:2.3:a:oracle:mysql:5.1.4:::::::*
cpe:2.3:a:oracle:mysql:5.1.6:::::::*
cpe:2.3:a:oracle:mysql:5.1.7:::::::*
cpe:2.3:a:oracle:mysql:5.1.8:::::::*
cpe:2.3:a:oracle:mysql:5.1.9:::::::*
cpe:2.3:a:oracle:mysql:5.1.10:::::::*
cpe:2.3:a:oracle:mysql:5.1.11:::::::*
cpe:2.3:a:oracle:mysql:5.1.12:::::::*
cpe:2.3:a:oracle:mysql:5.1.13:::::::*
cpe:2.3:a:oracle:mysql:5.1.14:::::::*
cpe:2.3:a:oracle:mysql:5.1.15:::::::*
cpe:2.3:a:oracle:mysql:5.1.16:::::::*
cpe:2.3:a:oracle:mysql:5.1.17:::::::*
cpe:2.3:a:oracle:mysql:5.1.18:::::::*
cpe:2.3:a:oracle:mysql:5.1.19:::::::*
cpe:2.3:a:oracle:mysql:5.1.20:::::::*
cpe:2.3:a:oracle:mysql:5.1.21:::::::*
cpe:2.3:a:oracle:mysql:5.1.22:::::::*