Oracle MySQL Server Geometry Query DoS

March 25, 2013

MySQL is the world's most used open source relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. MySQL is a Structured Query Language. It is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other 'AMP' stacks). For commercial use, several paid editions are available, and offer additional functionality. As with other database implementations, MySQL has a number of built-in SQL functions and supported operators that are designed to assist the user with the task of querying and updating the database.

MySQL supports spatial extensions to enable the generation, storage, and analysis of geographic features. MySQL implements a subset of SQL with the Geometry Types environment proposed by the Open Geospatial Consortium (OGC). This term refers to an SQL environment that has been extended with a set of geometry types. A geometry-valued SQL column is implemented as a column that has a geometry type.

Geometry is the root class of the hierarchy. It has a number of properties that are common to all geometry values created from any of the Geometry subclasses. Geometry subclasses include: Point, Curve, LineString, Surface and Polygon. These Geometry objects can be used as MySQL internal Geometry format or be represented Well Known Text (WKT) or Well Known Binary (WKB).

MySQL implements many other functions to perform operations on Geometric objects, one of which is Envelope. A vulnerability exists in the MySQL Envelope() function when handling serialized Geometry objects. The function fails to validate user supplied data when handling serialized Geometry objects. A remote, authenticated attacker can exploit this vulnerability by sending an Envelope() query on a malicious Geometry object to a vulnerable server. Successful exploitation could result in a denial-of-service condition.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signatures addressing the issue:

  • 9763 Oracle MySQL Server Geometry Query DoS 1
  • 9764 Oracle MySQL Server Geometry Query DoS 2

This vulnerability has been referred by CVE as CVE-2013-1861.