From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 15 Mar 2005 11:35:53 +0200
Subject: [NT] MySQL MaxDB Web Agent Multiple DoS Vulnerabilities (DBMCli, DBMWeb)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050315113054.1F81157FA@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MySQL MaxDB Web Agent Multiple DoS Vulnerabilities (DBMCli, DBMWeb)
------------------------------------------------------------------------
SUMMARY
<http://www.mysql.com/products/maxdb/>; MaxDB by MySQL is "a re-branded
and enhanced version of SAP DB, SAP AG's open source database. MaxDB is a
heavy-duty, SAP-certified open source database that offers high
availability, salability and a comprehensive feature set. MaxDB
complements the MySQL database server, targeted for large mySAP ERP
environments and other applications that require maximum enterprise-level
database functionality".
A number of remotely exploitable input validation errors have been found
to exist in MySQL MaxDB and SAP DB Web Agent products.
DETAILS
Vulnerable Systems:
* MySQL MaxDB version 7.5.00 for Windows. It is suspected that earlier
versions and versions on other platforms are vulnerable as well.
Immune Systems:
* MySQL MaxDB version 7.5.00.24 and newer
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0083>;
CAN-2005-0083
The vulnerabilities specifically exist due to insufficient validation of
user input data. The input validation error results in a null pointer
dereference in the following functions which can lead to a denial of
service condition:
DBMCli_String::ReallocString
DBMCli_String::operator
DBMCli_Buffer::ForceResize
DBMCli_Wizard::InstallDatabase
DBMCli_Devspaces::Complete
DBMWeb_TemplateWizard::askForWriteCountStep5
DBMWeb_DBMWeb::wizardDB
A remote attacker can request the function with invalid parameters to
cause a null pointer dereference resulting in a crash of MySQL MaxDB Web
Agent. The attacks are trivially exploited, as a remote attacker can send
simple HTTP requests to cause MaxDB Web Agent to crash.
Workaround:
Use a firewall to only allow trusted hosts to connect to the MySQL MaxDB
Web Agent HTTP Service.
Vendor Status:
These vulnerabilities are addressed in MySQL MaxDB 7.5.00.24 available for
download at: <http://dev.mysql.com/downloads/maxdb/7.5.00.html>;
http://dev.mysql.com/downloads/maxdb/7.5.00.html.
Disclosure Timeline:
09/15/2004 - Initial vendor contact
01/06/2005 - Secondary vendor contact
01/07/2005 - Initial vendor response
03/14/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=218&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=218&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
