mysql vulnerability alert

MySQL critical server vulnerability. UPDATE NOW

Monday 9/12, Dawid Golunski of reported MySQL bug CVE-2016-6662 which reveals multiple severe vulnerabilities. The vulnerability affects servers in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors. Successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running.
This is a CRITICAL update, and the fix mitigates the potential for remote root code execution.
PerconaDB also released fixes for their server packages and you should update immediately.
MariaDB is also affected by this critical bug and they released updated packages.
Debian and Redhat also updated their repo packages from what i know.
Either way i urge you to update your mysql server as soon as possible and disable phpmyadmin until you do that.
The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team.
It was also reported to the other affected vendors including PerconaDB and MariaDB.

The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August.
During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers.
No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available.

Leave a Reply