Vulnerability Scanning and Security Assessment Issues

Translated
1

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: 漏洞扫描安全评估问题

| username: jochenshen

TiDB cluster version upgraded to v7.1.1; security vulnerability scan issues detected, details as follows; how to resolve?

OpenSSL code issue vulnerability (CVE-2020-1967)
Oracle MySQL Server 5.7.X < 5.7.42 security vulnerability (April 2023 CPU)
Haxx libcurl buffer error vulnerability (CVE-2019-3822)
Oracle MySQL Server multiple vulnerabilities (July 2022 CPU)
Oracle MySQL Server < 5.7.40 security vulnerability (October 2022 CPU)
Oracle MySQL Server < 5.7.37 security vulnerability (January 2022 CPU)
MySQL 5.7.x < 5.7.35 multiple vulnerabilities (July 2021 CPU)
MySQL 5.7.x < 5.7.33 multiple vulnerabilities (January 2021 patch)
MySQL Database 5.7.x < 5.7.32 multiple security vulnerabilities (October 2020 CPU)
Oracle MySQL Server security vulnerability (CVE-2020-14559)
Oracle MySQL Server security vulnerability (CVE-2020-14550)
Oracle MySQL Server security vulnerability (CVE-2020-14553)
Oracle MySQL Server security vulnerability (CVE-2020-14547)
Oracle MySQL Server security vulnerability (CVE-2020-14540)
Oracle MySQL Server security vulnerability (CVE-2020-14539)
Oracle MySQL Server security vulnerability (CVE-2020-14576)
Haxx libcurl buffer error vulnerability (CVE-2019-3823)
Haxx libcurl buffer error vulnerability (CVE-2018-16890)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2774)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2819)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2791)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2740)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2805)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2737)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2757)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2758)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2778)
OpenSSL information leakage vulnerability (CNVD-2019-05906) (CVE-2019-1559)
Oracle MySQL Server information leakage vulnerability (CNVD-2019-10371) (CVE-2019-2632)
Oracle MySQL Server access control error vulnerability (CVE-2019-2581)
Oracle MySQL Server denial of service vulnerability (CNVD-2019-10373) (CVE-2019-2628)
Oracle MySQL Server denial of service vulnerability (CNVD-2019-10374) (CVE-2019-2627)
Oracle MySQL Server access control error vulnerability (CVE-2019-2566)
Oracle MySQL Server denial of service vulnerability (CNVD-2019-12459) (CVE-2019-2592)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2755)
Oracle MySQL Server denial of service vulnerability (CNVD-2019-11752) (CVE-2019-2683)
MySQL server detection
HTTP response header X-Content-Options: nosniff Web security
HTTP response header using X-XSS-Protection Web security
HTTP response header using X-Frame-Options Web security
Oracle MySQL Server component access control error vulnerability (CVE-2019-2738)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2797)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2741)
Oracle MySQL Server component access control error vulnerability (CVE-2019-2739)
Oracle MySQL Server denial of service vulnerability (CNVD-2019-12175) (CVE-2019-2614)

2
| username: MrSylar | Original post link
  1. OpenSSL can be directly upgraded.
  2. The vulnerabilities in Oracle MySQL do not apply to TiDB; you can bypass the vulnerabilities by modifying the configuration file parameter server-version.
3
| username: tidb菜鸟一只 | Original post link

Our security vulnerability scanning tool requires a specific MySQL version. Does TiDB support modifying the server version number?

4
| username: ShawnYan | Original post link

Modify the TiDB cluster version to 5.7.42 or above to bypass the vulnerability scan.

5
| username: zhanggame1 | Original post link

Modify the version number. I just tested it today, and it worked fine after the change.
Modify the MySQL version number displayed externally by TiDB to resolve vulnerability scanning issues.

High Reliability FAQ | PingCAP Documentation Center

image

The current version is as above, modify it to 5.7.99-TiDB-V7.12.0

image

6
| username: Kongdom | Original post link

:astonished: Is there a version 99? Can this fundamentally solve the vulnerability issue?

7
| username: zhanggame1 | Original post link

Yes, the MySQL 5.7 version will never reach version 99. If the version number doesn’t exist, naturally there won’t be any vulnerabilities associated with it. Vulnerability scanning is quite rudimentary; it doesn’t actually know what vulnerabilities the server has. It just checks the version number and displays the list of vulnerabilities associated with that version number.

In the past, when I scanned Oracle 19c, whether or not patches were applied couldn’t be detected by the vulnerability scan. It could only be detected if the root account of the server and the Oracle administrator account were provided in the vulnerability scan.

8
| username: ShawnYan | Original post link

It can solve the vulnerability scanning issue at once, but after 5.7 EOL, new CVEs might be prompted, so it will need to be changed in the future, such as 8.0.99 or 8.99.99 :sweat_smile:

9
| username: Kongdom | Original post link

:thinking: At least it will be a long time from now.

10
| username: ShawnYan | Original post link

Not long now, MySQL 5.7 has two months left until EOL, MySQL 8.2 is on the way, and it will be available for use in vulnerability scans next year.

11
| username: Kongdom | Original post link

:joy: :joy: :joy: Came so fast~ caught off guard~

12
| username: ShawnYan | Original post link

To add a bit more, following the screenshot above, it was mentioned at this year’s user conference that TiDB will be compatible with MySQL 8 this year. Starting from TiDB 7.2, this has already been changed:

welcome to mysql 8 compatible tidb

Image
Image771×140 4.92 KB

Corresponding PR:

13
| username: Kongdom | Original post link

Awesome, I just encountered a compatibility issue with version 8.0, and now the pillow has arrived just when I wanted to sleep~ :+1:

14
| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.