NVD Vulnerability Detail

CVE-2019-16168

Summary	In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
Publication Date	Sept. 10, 2019, 2:15 a.m.
Registration Date	Jan. 26, 2021, 11:39 a.m.
Last Update	Nov. 21, 2024, 1:30 p.m.

CVSS3.1 : MEDIUM
スコア	6.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	高

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:N/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:sqlite:sqlite::::::::		3.8.5	3.29.0

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:oncommand_insight:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5
cpe:2.3:a:netapp:santricity_unified_manager:-:::::::*
cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::	11.0.0	11.60.3

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:30:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:a:tenable:nessus_agent::::::::			8.2.3

Configuration7	or higher	or less	more than	less than
cpe:2.3:o:oracle:solaris:11:::::::*
cpe:2.3:a:oracle:outside_in_technology:8.5.4:::::::*
cpe:2.3:a:oracle:mysql::::::::	8.0.0	8.0.18
cpe:2.3:a:oracle:jre:1.8.0:update231::::::
cpe:2.3:a:oracle:jdk:1.8.0:update231::::::
cpe:2.3:o:oracle:zfs_storage_appliance:8.8:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.3.4.3.0:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.3.5.5.0:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.4.0.4.0:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:a:mcafee:policy_auditor::::::::					6.5.1

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html	Broken Link
2	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html	Broken Link
3	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html	Broken Link
4	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html	Broken Link
5	https://kc.mcafee.com/corporate/index?page=content&id=SB10365	Third Party Advisory
6	https://kc.mcafee.com/corporate/index?page=content&id=SB10365	Third Party Advisory
7	https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html	Mailing List Third Party Advisory
8	https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html	Mailing List Third Party Advisory
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/
11	https://security.gentoo.org/glsa/202003-16	Third Party Advisory
12	https://security.gentoo.org/glsa/202003-16	Third Party Advisory
13	https://security.netapp.com/advisory/ntap-20190926-0003/	Third Party Advisory
14	https://security.netapp.com/advisory/ntap-20190926-0003/	Third Party Advisory
15	https://security.netapp.com/advisory/ntap-20200122-0003/	Third Party Advisory
16	https://security.netapp.com/advisory/ntap-20200122-0003/	Third Party Advisory
17	https://usn.ubuntu.com/4205-1/	Third Party Advisory
18	https://usn.ubuntu.com/4205-1/	Third Party Advisory
19	https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg116312.html
20	https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg116312.html
21	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
22	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
23	https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
24	https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
25	https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62	Vendor Advisory
26	https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62	Vendor Advisory
27	https://www.sqlite.org/src/timeline?c=98357d8c1263920b	Patch Vendor Advisory
28	https://www.sqlite.org/src/timeline?c=98357d8c1263920b	Patch Vendor Advisory
29	https://www.tenable.com/security/tns-2021-08	Third Party Advisory
30	https://www.tenable.com/security/tns-2021-08	Third Party Advisory
31	https://www.tenable.com/security/tns-2021-11	Third Party Advisory
32	https://www.tenable.com/security/tns-2021-11	Third Party Advisory
33	https://www.tenable.com/security/tns-2021-14	Third Party Advisory
34	https://www.tenable.com/security/tns-2021-14	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-369	ゼロ除算	https://cwe.mitre.org/data/definitions/369.html

JVN Vulnerability Information

SQLite におけるゼロ除算に関する脆弱性

Title	SQLite におけるゼロ除算に関する脆弱性
Summary	SQLite には、ゼロ除算に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 15, 2019, midnight
Registration Date	Sept. 12, 2019, noon
Last Update	June 1, 2020, 2:05 p.m.

Affected System

日立

Hitachi Automation Director

Hitachi Compute Systems Manager

Hitachi Configuration Manager

Hitachi Device Manager

Hitachi Dynamic Link Manager

Hitachi Global Link Manager

Hitachi Infrastructure Analytics Advisor (海外販売のみ)

Hitachi Ops Center Analyzer (海外販売のみ)

Hitachi Ops Center Analyzer viewpoint (海外販売のみ)

Hitachi Ops Center API Configuration Manager

Hitachi Ops Center Automator

Hitachi Ops Center Common Services (海外販売のみ)

Hitachi Replication Manager

Hitachi Tiered Storage Manager

Hitachi Tuning Manager

SQLite

SQLite 3.29.0 まで

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-16168	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
National Vulnerability Database (NVD)
2	CVE-2019-16168	https://nvd.nist.gov/vuln/detail/CVE-2019-16168

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-369	https://cwe.mitre.org/data/definitions/369.html

ベンダー情報

No	Name	URL
Hitachi Software Vulnerability Information
1	hitachi-sec-2020-103	https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2020-103/index.html
SQLite
2	100 check-ins occurring around 98357d8c1263920b.	https://www.sqlite.org/src/timeline?c=98357d8c1263920b
3	Division by zero in the query planner.	https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
セキュリティ情報
4	hitachi-sec-2020-103	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2020-103/index.html

Change Log

No	Changed Details	Date of change
1	[2019年09月12日] 掲載	Sept. 12, 2019, noon
3	[2020年06月01日] 影響を受けるシステム：内容を更新ベンダ情報：Hitachi Software Vulnerability Information (hitachi-sec-2020-103) を追加ベンダ情報：ソフトウェア製品セキュリティ情報 (hitachi-sec-2020-103) を追加	June 1, 2020, 11:25 a.m.

Configuration7	or higher	or less	more than	less than
cpe:2.3:o:oracle:solaris:11:::::::*
cpe:2.3:a:oracle:outside_in_technology:8.5.4:::::::*
cpe:2.3:a:oracle:mysql::::::::	8.0.0	8.0.18
cpe:2.3:a:oracle:jre:1.8.0:update231::::::
cpe:2.3:a:oracle:jdk:1.8.0:update231::::::
cpe:2.3:o:oracle:zfs_storage_appliance:8.8:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.3.4.3.0:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.3.5.5.0:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.4.0.4.0:::::::*