Latest MYSQL Database Vulnerability Bulletin _mysql

Recently, the Internet has disclosed about the existence of a MySQL database Code execution Vulnerability (cnnvd-201609-183) situation. Because of a certain flaw in the MySQL database default configuration, an attacker could exploit the vulnerability to tamper with the database configuration file, executing arbitrary code with Administrator privileges, and remotely controlling the affected server. At present, the Oracle official website release statement will release the key patch update information in October.

A brief introduction of vulnerability

Oracle MySQL is an open source relational database management system for Oracle (Oracle) company in the United States.

The configuration file (my.cnf) in the MySQL database has a remote Code execution Vulnerability (Vulnerability number: cnnvd-201609-183,cve-2016-6662) and the following version is affected by the vulnerability: MySQL 5.7.15 and previous versions, 5.6.33 and previous versions, 5.5.52 and previous versions.

CNNVD for the use of the principle of the above-mentioned loopholes, summarized as follows:

The MySQL service has two processes on the server, one of which has administrator (root) and the other has normal user (MySQL) permissions. A process with administrator (root) permissions can load and execute the Dynamic Connection library (so) that is declared in the configuration file, and modify the above configuration file under specific file permissions through SQL statements or by using methods such as add triggers, causing the MySQL service to restart A process with administrator (root) permissions loads and executes the dynamic Connection library, executing arbitrary code to achieve elevated permissions.

Ii. Vulnerabilities and hazards

An attacker (local or remote) can use this vulnerability to modify a configuration file, such as normal access or malicious injection, to execute arbitrary code with administrator privileges and to have full control over the affected server.

2. Currently, the open source database using the MySQL kernel mariadb and perconadb is affected by this vulnerability and released a bug fix patch on September 6.

Iii. Measures of repair

The official Oracle website will release key patch updates on October 18, so that users who may be affected should be concerned about the information in time to fix the vulnerabilities and eliminate the pitfalls.

Announcement Link: http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Users who deploy the MySQL database should promptly check if the MySQL version used is in the affected area. If affected, you can take this mitigation scenario: Turn off MySQL user file permissions.