Novel Contributions to the field - How I broke MySQLs code-base (Part 2) [CVE-2016-5541] MySQL cluster remote 0day

 ************************************************************************************
 *
                                              *
 * Copyright (c) 2017, Advanced Information Security Corp / Oracle Inc.    *
 *
                                              *
 *
                                              *
 ************************************************************************************

ABSTRACT
===========

This industry-led research was conducted by Advanced Information
Security co-jointly with Oracle Corporation. The CVE assigned for the
MySQL Cluster issues is CVE-2016-5541. This security research
concluded to multiple zero-day vulnerabilities affecting the MySQL
Protocol protocol. Feasibility of exploitation is remote &
unauthenticated.



The vulnerability can be exploited over the MySQL Protocol protocol.
The Cluster: NDBAPI sub component can be exploited.


VERSIONS AFFECTED
====================

Oracle MySQL Cluster 7.4.12
Oracle MySQL Cluster 7.4.5
Oracle MySQL Cluster 7.3.14
Oracle MySQL Cluster 7.3.8
Oracle MySQL Cluster 7.2.26
Oracle MySQL Cluster 7.2.25
Oracle MySQL Cluster 7.2.19


A full report can be obtained from
https://www.docdroid.net/o2uVeg4/cve-2016-5541.pdf.html


(References)

[1]  Oracle Critical Patch Update - January 2017. 2017. Oracle
Critical Patch Update - January 2017. [ONLINE] Available at:
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html