CVE-2016-6225

Published on: 03/23/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:11 PM UTC

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Fedora from Fedoraproject contain the following vulnerability:

xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.

  • CVE-2016-6225 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.9 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
[SECURITY] Fedora 25 Update: percona-xtrabackup-2.3.6-1.fc25 - package-announce - Fedora Mailing-Lists Patch
Third Party Advisory
lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2017-6382ea8d57
Bug #1643949 “CVE-2016-6225: xbcrypt/xtrabackup encryption is no...” : Bugs : Percona XtraBackup moved to https://jira.percona.com/projects/PXB Issue Tracking
Patch
Third Party Advisory
bugs.launchpad.net
text/html
URL Logo CONFIRM bugs.launchpad.net/percona-xtrabackup/+bug/1643949
openSUSE-SU-2017:0250-1: moderate: Security update for xtrabackup Third Party Advisory
lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2017:0250
Fix CVE-2016-6225 in 2.4 by gl-sergei · Pull Request #267 · percona/percona-xtrabackup · GitHub Issue Tracking
Patch
Third Party Advisory
github.com
text/html
URL Logo CONFIRM github.com/percona/percona-xtrabackup/pull/267
CVE-2016-6225: xtrabackup encryption is not setting the IV correctly by gl-sergei · Pull Request #266 · percona/percona-xtrabackup · GitHub Issue Tracking
Patch
Third Party Advisory
github.com
text/html
URL Logo CONFIRM github.com/percona/percona-xtrabackup/pull/266
[SECURITY] Fedora 24 Update: percona-xtrabackup-2.3.6-1.fc24 - package-announce - Fedora Mailing-Lists Patch
Third Party Advisory
lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2017-5a823376be
openSUSE-SU-2017:0251-1: moderate: Security update for xtrabackup Third Party Advisory
lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2017:0251
CVE-2016-6225: Percona Xtrabackup Encryption IV Not Being Set Properly - Percona Database Performance Blog Vendor Advisory
www.percona.com
text/html
URL Logo CONFIRM www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
FedoraprojectFedora24AllAllAll
Operating
System
FedoraprojectFedora25AllAllAll
Operating
System
FedoraprojectFedora24AllAllAll
Operating
System
FedoraprojectFedora25AllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
Operating
System
OpensuseLeap42.2AllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
Operating
System
OpensuseLeap42.2AllAllAll
ApplicationPerconaXtrabackup2.4.0rc1AllAll
ApplicationPerconaXtrabackup2.4.1AllAllAll
ApplicationPerconaXtrabackup2.4.2AllAllAll
ApplicationPerconaXtrabackup2.4.3AllAllAll
ApplicationPerconaXtrabackup2.4.4AllAllAll
ApplicationPerconaXtrabackup2.4.0rc1AllAll
ApplicationPerconaXtrabackup2.4.1AllAllAll
ApplicationPerconaXtrabackup2.4.2AllAllAll
ApplicationPerconaXtrabackup2.4.3AllAllAll
ApplicationPerconaXtrabackup2.4.4AllAllAll
ApplicationPerconaXtrabackupAllAllAllAll
  • cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.0:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.0:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:2.4.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:*: