MySQL

System administrators should be patching their MySQL installations if they haven't in the last three weeks, to safeguard their database servers against three critical security flaws discovered by Polish security researcher Dawid Golunski.

The three vulnerabilities he found are tracked via the identifiers CVE-2016-6662, CVE-2016-6663, and CVE-2016-6664.

Patches for MySQL servers have been available for download since mid-October when Oracle put out its quarterly Critical Patch Update (CPU), but Golunski released details about the vulnerabilities he discovered only last week, after allowing MySQL admins time to install the patches.

Wiz

Golunski already released details about one flaw in September

In mid-September, Golunski had previously released partial details about CVE-2016-6662, a vulnerability that allows an attacker to inject custom database settings into MySQL configuration files (my.conf).

At the time, Golunski restrained from releasing weaponized proof-of-concept code and warned that he also discovered two other MySQL security bugs.

Golunski also took the opportunity to criticize Oracle's non-standard security patch system, which included releasing security updates only once every three months, instead of once per month, like Google, Microsoft, Apple, Adobe, and others.

The researcher said that two other database projects forked from the MySQL codebase, MariaDB and Percona DB, had addresses CVE-2016-6662 right away, while MySQL users would remain vulnerable for 90 more days, until Oracle's next CPU release train.

Vulnerabilities are meant to be used together

Last week, Golunski revealed details about the two other security flaws he taunted in September.

Both CVE-2016-6663 and CVE-2016-6664 are privilege escalation flaws. The researcher says they're meant to be used together with CVE-2016-6662.

Combos of these flaws (CVE-2016-6662 + CVE-2016-6663 or CVE-2016-6662 + CVE-2016-6664) allow an attacker to take over unpatched MySQL installations. This time around Golunski also released proof-of-concept exploit code.

The following MySQL, MariaDB, and Percona DB servers are considered vulnerable.

MySQL  
    <= 5.5.51
    <= 5.6.32
    <= 5.7.14

MariaDB
    < 5.5.52
    < 10.1.18
        < 10.0.28

Percona Server
    < 5.5.51-38.2
    < 5.6.32-78-1
    < 5.7.14-8

MySQL installations in enterprise environments or shared hosting environments should be considered in danger if left without a proper patch.

Besides Oracle, the MariaDB and Percona teams have also released patches to fix Golunski's reported flaws.

Attackers won't wait, and neither should you

At the end of October, the Joomla Project released two security updates for the Joomla CMS.

After three days, attackers were mass-scanning the Internet and attempting to exploit the flaws. Sucuri's CTO said that all Joomla CMSs left unpatched by that date are most likely already compromised.

With MySQL being used for far more than just websites, and with Golunski's proof-of-concept code now available online, you can say safely say the same thing about MySQL databases that have been left exposed.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Korean Air data breach exposes data of thousands of employees

Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed

University of Phoenix data breach impacts nearly 3.5 million individuals

University of Phoenix discloses data breach after Oracle hack

Zeroday Cloud hacking event awards $320,0000 for 11 zero days