Latest MySQL database vulnerabilities and mysql reports

Latest MySQL database vulnerabilities and mysql reports

Recently, the Internet disclosed about the existence of MySQL database Code Execution Vulnerability (CNNVD-201609-183. Due to some defects in the default configuration of the MySQL database, attackers can exploit this vulnerability to tamper with the database configuration file, execute arbitrary code as an administrator, and remotely control the affected server. At present, the Oracle official website will release key patch updates on March 13, October.

I. Vulnerability Overview

Oracle MySQL is an open source Relational Database Management System of Oracle.

MySQL database configuration file (my. cnf) Remote Code Execution Vulnerability (Vulnerability No.: CNNVD-201609-183, CVE-2016-6662), affected by the following versions: MySQL 5.7.15 and earlier versions, 5.6.33 and earlier versions, 5.5.52 and earlier versions.

CNNVD sorts out the exploitation principles of the above vulnerabilities and summarizes them as follows:

The MySQL service has two processes on the server, one of which has the Administrator (root) permission and the other has the common user (MySQL) permission. Processes with the Administrator (root) Permission can load and execute the dynamic Connection Library (so Library) declared in the configuration file ), the preceding configuration file is modified by using SQL statements or adding triggers under specific file permissions, resulting in the administrator (root) when the MySQL service is restarted) processes with permissions load and execute the dynamic connection library, and execute any code to improve permissions.

Ii. Hazards

Attackers (local or remote) can exploit this vulnerability to modify the configuration file by means of normal access or malicious injection, so as to execute arbitrary code as administrator and completely control the affected server.

2. Currently, open-source databases MariaDB and PerconaDB using the MySQL kernel are affected by this vulnerability, and the vulnerability repair patch was released on April 9, September 6.

Iii. Repair Measures

The Oracle official website will release key patch updates on March 13, October 18. Users who may be affected should pay attention to the information and fix vulnerabilities in time to eliminate potential risks.

Announcement link: http://www.oracle.com/technetwork/topics/security/alerts-086861.html

If you deploy a MySQL database, check whether the MySQL version is affected. If the permission is affected, you can disable the file Permission of the MySQL user.