Vulnerable versions can be updated to 8.0.28 or later to fix this issue. For upgrade instructions see: In a short attack scenario, low privileged attacker with network access via multiple protocols can compromise MySQL Server.

In a long attack scenario, low privileged attacker with network access via multiple protocols can compromise MySQL Server. Bug#72469 - High CVE-2016-6661: Remote denial of service in InnoDB. We were informed that CVE-2015-4791 and CVE-2016-6660 have been patched in the 8.0.28 version. However, the problem remains in older versions. In order to resolve the issue and patch affected versions, update MySQL Server version to version 8.0.28 or later. See also: https://dev.mysql.com/doc/relnotes/mysql/en/security-advisory-201609-01.html In case of doubt, users are advised to update to latest version. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVE-2016-6661 is a generic vulnerability that applies to all database servers. Technical details: Remote denial of service in InnoDB.

The denial of service can be triggered by a user

Vulnerable code snippet nowiki

In case of doubt, users are advised to update to latest version.

Vulnerable and Fixed Software

The following table lists the MySQL software versions that are known to be affected by this vulnerability.

Version | Vulnerable | Fixed*
8.0.18 and earlier | Yes | Yes
8.0.19 and later | Yes
8.0.20 and later | Yes

Summary of Vulnerability

A denial of service vulnerability in InnoDB that affects all versions of MySQL Server has been patched. The vulnerability can be triggered by a user without authentication. A low privileged attacker with network access via multiple protocols can exploit the vulnerability to compromise MySQL Server.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/24/2022 19:02:00 UTC

References