Alert

Exploits Affecting MySQL

Updated

Recently-disclosed zero-day exploits affecting MySQL and its various forks (including MariaDB and Percona) allow for complete compromise of vulnerable systems.

The exploits allow attackers to inject content into MySQL configuration files, create new configuration files altogether, and execute arbitrary code with root privileges.  The vectors for these exploits include authenticated web-based access (using tools like phpMyAdmin) and successful SQL injection attacks against MySQL database instances.  All version branches of MySQL are affected by this vulnerability, including versions 5.5, 5.6, and 5.7.

MariaDB and Percona have both released patches for these exploits, and more information can be found at their respective pages: MariaDB Security Update and Percona Security Update.

The next critical patch update due for release by Oracle is scheduled for October 18, 2016.  In the meantime, administrators of MySQL database instances ensure that no MySQL configuration files are owned by the ‘mysql’ user. In addition, administrators can implement placeholder my.cnf files which are owned by root to prevent the creation of new configuration files.