Vulnerable versions can be updated to 8.0.28 or later to fix this issue. For upgrade instructions see: In a short attack scenario, low privileged attacker with network access via multiple protocols can compromise MySQL Server.
In a long attack scenario, low privileged attacker with network access via multiple protocols can compromise MySQL Server. Bug#72469 - High CVE-2016-6661: Remote denial of service in InnoDB. We were informed that CVE-2015-4791 and CVE-2016-6660 have been patched in the 8.0.28 version. However, the problem remains in older versions. In order to resolve the issue and patch affected versions, update MySQL Server version to version 8.0.28 or later. See also: https://dev.mysql.com/doc/relnotes/mysql/en/security-advisory-201609-01.html In case of doubt, users are advised to update to latest version. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2016-6661 is a generic vulnerability that applies to all database servers. Technical details: Remote denial of service in InnoDB.
The denial of service can be triggered by a user
Vulnerable code snippet nowiki
In case of doubt, users are advised to update to latest version.
Vulnerable and Fixed Software
The following table lists the MySQL software versions that are known to be affected by this vulnerability.
Version | Vulnerable | Fixed*
8.0.18 and earlier | Yes | Yes
8.0.19 and later | Yes
8.0.20 and later | Yes
Summary of Vulnerability
A denial of service vulnerability in InnoDB that affects all versions of MySQL Server has been patched. The vulnerability can be triggered by a user without authentication. A low privileged attacker with network access via multiple protocols can exploit the vulnerability to compromise MySQL Server.