CVE-2023-5157

Q: What is the severity of CVE-2023-5157?

CVE-2023-5157 has a CVSS score of 7.5 (HIGH). A vulnerability in MariaDB allows remote attackers to cause denial of service via port scans on ports 3306 and 4567. This affects MariaDB servers with these ports exposed to untrusted networks. The vulnerability is triggered by specific network traffic patterns rather than authentication bypass or data access.

7.5 HIGH

Denial of Service

📋 TL;DR

A vulnerability in MariaDB allows remote attackers to cause denial of service via port scans on ports 3306 and 4567. This affects MariaDB servers with these ports exposed to untrusted networks. The vulnerability is triggered by specific network traffic patterns rather than authentication bypass or data access.

💻 Affected Systems

Products:

MariaDB

Versions: Multiple versions prior to fixes in Red Hat advisories RHSA-2023:5259, RHSA-2023:5683, RHSA-2023:5684, RHSA-2023:6821, RHSA-2023:6822

Operating Systems: Linux distributions with affected MariaDB packages (particularly Red Hat variants)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires MariaDB to be running with default or custom configurations exposing ports 3306 (default MySQL/MariaDB) and/or 4567 (Galera cluster).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability of MariaDB, disrupting database-dependent applications and potentially causing business downtime.

🟠

Likely Case

Temporary service degradation or crashes requiring MariaDB restart, with potential data loss if transactions are interrupted.

🟢

If Mitigated

Minimal impact if ports are firewalled or network controls limit exposure to trusted sources only.

🌐 Internet-Facing: HIGH - Internet-exposed MariaDB instances are directly vulnerable to scanning and exploitation from any remote attacker.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to MariaDB ports.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access and ability to send port scan traffic - no authentication or special payloads needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions specified in Red Hat advisories (check specific advisory for your distribution)

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:5259

Restart Required: Yes

Instructions:

1. Identify MariaDB version with 'mariadb --version'. 2. Check applicable Red Hat advisory for your OS version. 3. Update via package manager: 'yum update mariadb' or 'dnf update mariadb'. 4. Restart MariaDB service: 'systemctl restart mariadb'.

🔧 Temporary Workarounds

Firewall MariaDB Ports

linux

Block external access to MariaDB ports using host or network firewalls

iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A INPUT -p tcp --dport 4567 -j DROP
firewall-cmd --permanent --remove-service=mysql
firewall-cmd --permanent --remove-port=4567/tcp
firewall-cmd --reload

Bind to Local Interface Only

linux

Configure MariaDB to listen only on localhost/127.0.0.1

Edit /etc/my.cnf or /etc/mysql/my.cnf
Add 'bind-address = 127.0.0.1' under [mysqld] section
Restart MariaDB: systemctl restart mariadb

🧯 If You Can't Patch

Implement strict network segmentation - allow MariaDB access only from required application servers
Deploy intrusion prevention systems (IPS) or web application firewalls (WAF) to detect and block port scanning patterns

🔍 How to Verify

Check if Vulnerable:

Check if MariaDB version matches affected ranges in Red Hat advisories and verify ports 3306/4567 are listening

Check Version:

mariadb --version  OR  rpm -q mariadb  OR  dpkg -l | grep mariadb

Verify Fix Applied:

Confirm updated version no longer matches vulnerable versions and test service stability under port scan simulation

📡 Detection & Monitoring

Log Indicators:

Multiple connection attempts/resets on ports 3306/4567 in MariaDB error logs
Unexpected service crashes or restarts in system logs

Network Indicators:

High volume of TCP SYN packets to ports 3306/4567 from single or multiple sources
Port scan patterns detected by network monitoring

SIEM Query:

source="mariadb.log" AND ("connection reset" OR "crash" OR "abnormal exit") OR destination_port IN (3306, 4567) AND tcp_flags="SYN" AND event_count > 100

📊 Metadata

CVE ID: CVE-2023-5157

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: September 27, 2023

Last Updated: October 1, 2025

🔗 References

https://access.redhat.com/errata/RHSA-2023:5259
https://access.redhat.com/errata/RHSA-2023:5683 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:5684 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:6821 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:6822 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:6883 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7633 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-5157 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2240246 Issue Tracking,Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:5683 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:5684 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:6821 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:6822 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:6883 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7633 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-5157 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2240246 Issue Tracking,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux For Arm 64 by Redhat

Enterprise Linux For Arm 64 by Redhat

Enterprise Linux For Arm 64 Eus by Redhat

Enterprise Linux For Ibm Z Systems by Redhat

Enterprise Linux For Ibm Z Systems by Redhat

Enterprise Linux For Ibm Z Systems by Redhat

Enterprise Linux For Ibm Z Systems Eus by Redhat

Enterprise Linux For Ibm Z Systems Eus by Redhat

Enterprise Linux For Ibm Z Systems Eus by Redhat

Enterprise Linux For Power Little Endian by Redhat

Enterprise Linux For Power Little Endian by Redhat

Enterprise Linux For Power Little Endian Eus by Redhat

Enterprise Linux For Power Little Endian Eus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Fedora by Fedoraproject

Mariadb by Mariadb

Mariadb by Mariadb

Mariadb by Mariadb

Mariadb by Mariadb

Mariadb by Mariadb

Mariadb by Mariadb

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Firewall MariaDB Ports

Bind to Local Interface Only

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities