Oracle MySQL Server Geometry Query DoS (Mar 22, 2013)


MySQL is the world’s most used open source relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. MySQL is a Structured Query Language. It is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other ‘AMP’ stacks). For commercial use, several paid editions are available, and offer additional functionality. As with other database implementations, MySQL has a number of built-in SQL functions and supported operators that are designed to assist the user with the task of querying and updating the database.

MySQL supports spatial extensions to enable the generation, storage, and analysis of geographic features. MySQL implements a subset of SQL with the Geometry Types environment proposed by the Open Geospatial Consortium (OGC). This term refers to an SQL environment that has been extended with a set of geometry types. A geometry-valued SQL column is implemented as a column that has a geometry type.

Geometry is the root class of the hierarchy. It has a number of properties that are common to all geometry values created from any of the Geometry subclasses. Geometry subclasses include: Point, Curve, LineString, Surface and Polygon. These Geometry objects can be used as MySQL internal Geometry format or be represented Well Known Text (WKT) or Well Known Binary (WKB).

MySQL implements many other functions to perform operations on Geometric objects, one of which is Envelope. A vulnerability exists in the MySQL Envelope() function when handling serialized Geometry objects. The function fails to validate user supplied data when handling serialized Geometry objects. A remote, authenticated attacker can exploit this vulnerability by sending an Envelope() query on a malicious Geometry object to a vulnerable server. Successful exploitation could result in a denial-of-service condition.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signatures addressing the issue:

  • 9763 Oracle MySQL Server Geometry Query DoS 1
  • 9764 Oracle MySQL Server Geometry Query DoS 2

This vulnerability has been referred by CVE as CVE-2013-1861.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.