Hillstone Networks

RULE（RULE ID：1605137）

Rule General Information


Release Date:		2019-07-12

Rule Name:		MySQL/MariaDB memcmp() SSE authentication bypass Vulnerability (CVE-2012-2122)

Severity:

CVE ID:

Rule Protection Details


Description:		sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

Impact:		An attacker could exploit this vulnerability to have unspecified effect.

Affected OS:		Windows, Linux, FreeBSD, Solaris, Other Unix, Network Device, Mac OS, iOS, Android, Others

Reference:		ExploitDB:19092 http://bugs.mysql.com/bug.php?id=64884 http://kb.askmonty.org/en/mariadb-5162-release-notes/ http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html

Solutions

The vendors have released upgrade patches to fix vulnerabilities, please visit:
http://www.mysql.com/