Latest MySQL database vulnerability report_MySQL

Recently, a code execution vulnerability (CNNVD-201609-183) in the MySQL database was disclosed on the Internet. Due to certain flaws in the default configuration of the MySQL database, attackers can use this vulnerability to tamper with the database configuration file, execute arbitrary code with administrator privileges, and remotely control the affected server. Currently, Oracle's official website has announced that critical patch update information will be released in October.

1. Vulnerability introduction

Oracle MySQL is an open source relational database management system from Oracle Corporation in the United States.

The configuration file (my.cnf) in the MySQL database has a remote code execution vulnerability (vulnerability number: CNNVD-201609-183, CVE-2016-6662). The following versions are affected by this vulnerability: MySQL 5.7.15 and earlier versions , 5.6.33 and previous versions, 5.5.52 and previous versions.

CNNVD sorted out the utilization principles of the above vulnerabilities and summarized them as follows:

The MySQL service has two processes on the server, one of which has administrator (root) permissions and the other has ordinary user (MySQL) permissions. A process with administrator (root) permissions can load and execute the dynamic link library (so library) declared in the configuration file, and modify the above configuration file through SQL statements or adding triggers under specific file permissions, resulting in When the MySQL service is restarted, a process with administrator (root) privileges loads and executes the dynamic link library and executes arbitrary code to achieve the purpose of elevating privileges.

2. Vulnerability hazards

An attacker (local or remote) can use this vulnerability to modify the configuration file through normal access or malicious injection, thereby executing arbitrary code with administrator privileges and fully controlling the affected server.

2. Currently, the open source databases MariaDB and PerconaDB using the MySQL kernel are affected by this vulnerability, and a vulnerability fix patch was released on September 6.

3. Repair measures

Oracle’s official website will release a critical patch update on October 18. Users who may be affected are asked to pay attention to the information in time to fix vulnerabilities and eliminate hidden dangers.

Announcement link: http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Users who deploy MySQL databases should promptly check whether the MySQL version they are using is within the affected range. If affected, you can take this mitigation plan: turn off the MySQL user's file permissions.