Comments on: Is Your Database Affected by CVE-2016-6662?

By: anushri2

anushri2 — Mon, 22 Jul 2019 11:36:53 +0000

This blog is the general information for the feature. You got a good work for these blog.We have a developing our creative content of this mind.Thank you for this blog. This for very interesting and useful.
https://www.gangboard.com/big-data-training/hadoop-admin-training

By: Ashraf

Ashraf — Fri, 23 Sep 2016 14:21:15 +0000

In reply to Dmitry Pupking. According to Redhat Customer Portal, https://access.redhat.com/security/cve/cve-2016-6662 : "The MySQL 5.1 packages in Red Hat Enterprise Linux 6 do not implement support for library preloading, completely preventing the remote attack vector used by the published exploit."

By: soruzmanina

soruzmanina — Fri, 23 Sep 2016 11:08:55 +0000

Hi,
The vulnerability of MySQL on windows system should be effective?

By: Johan De Meersman

Johan De Meersman — Mon, 19 Sep 2016 14:10:59 +0000

In reply to Ricardo Abech. Yes, the vulnerability is really in the MySQL server itself, which allows malicious code to write out files it shouldn’t be able to. If it can modify your configuration to include a malicious plugin, you are vulnerable. The mysqld_safe patch is really just a workaround to filter those out. (reposting as reply to post)

By: Ricardo Abech

Ricardo Abech — Mon, 19 Sep 2016 13:40:38 +0000

So, If I am NOT running mysqld_safe (instead running default Mysqld on windows), am I affected by this CVE?

Thanks

By: Johan De Meersman

Johan De Meersman — Thu, 15 Sep 2016 21:58:50 +0000

In reply to Johan De Meersman. I've updated the playbook to reflect Patrick's catch of a flaw in the Percona patch. The playbook will take care of removing that patch first if you had already applied it.

By: dbpercona

dbpercona — Thu, 15 Sep 2016 15:57:06 +0000

In reply to Patrick Forsberg. Patrick, we have reviewed the changes and you are indeed correct. The wildcard matching on /{libdir}/* will allow for parent directories to be appended to the library path spec. We will be releasing a fix for this. Nice catch! Thank you!

By: Johan De Meersman

Johan De Meersman — Thu, 15 Sep 2016 15:41:56 +0000

Thank you for the excellent explanation, Kenny. For those interested, I’ve put a simple Ansible playbook to patch mysqld_safe at https://github.com/meersjo/ansible-mysql-cve-2016-6662 .

By: Patrick Forsberg

Patrick Forsberg — Thu, 15 Sep 2016 12:21:37 +0000

If I haven’t missed something, then the patch by percona isn’t fixing the issue with non standard directories.

It’s supposed to limit preloading libraries to /usr/lib64 and /usr/lib but as far as I can see you can use “dot dot” escaping to supply a path outside these libraries.

/Patrick

By: Dmitry Pupking

Dmitry Pupking — Thu, 15 Sep 2016 05:56:50 +0000

In reply to Kenny Gryp. Thanks!

By: Kenny Gryp

Kenny Gryp — Thu, 15 Sep 2016 05:50:18 +0000

5.1 seems unaffected by this as mysqld_safe.sh does not have the --malloc-lib configuration option and does not contain LD_PRELOAD related code: Source Code: https://github.com/percona/percona-server/blob/5.1/Percona-Server/scripts/mysqld_safe.sh

By: Kenny Gryp

Kenny Gryp — Thu, 15 Sep 2016 05:45:43 +0000

The fixed versions in Percona Server and Oracle MySQL contain code changes that disallow loading shared libraries from non standard directories (allows /usr/lib, /usr/lib64…). These directories require root access and are not writeable by the mysql user so it requires another vulnerability to be able to get the shared libraries written to those paths.

This means the vulnerability mentioned in CVE-2016-6662 is not exploitable on these versions.

The information on http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html must have a slight bug where it should be < instead of <=

By: YOGESH KORE

YOGESH KORE — Thu, 15 Sep 2016 00:29:32 +0000

On the same line with Bernhard, It states, You aren’t affected if you use version 5.5.52, 5.6.33 or 5.7.15. But report on legalhackers.com says those are affected versions. Do you want to say other way round?

By: Bernhard

Bernhard — Wed, 14 Sep 2016 15:39:55 +0000

It states, You aren’t affected if you use version 5.5.52, 5.6.33 or 5.7.15.

So i read it like, all other versions are affected.. Anyway i did both the suggestions to be sure..

1. Create an (empty) my.cnf and .my.cnf in the datadir (usually /var/lib/mysql) and make root the owner/group with 0644 permissions.

2. Added the suggestions to file /usr/bin/mysqld_safe

as discribed here.

https://www.psce.com/blog/2016/09/12/how-to-quickly-patch-mysql-server-against-cve-2016-6662/

By: PLR

PLR — Wed, 14 Sep 2016 14:32:35 +0000

In reply to Paul. Still says 10.0.26-MariaDB-0+deb8u1, I'm not worried though. the only way anyone can get in my server is if they hold a gun to my head since I've locked down all of it. Each database has their own user and root is disabled. The machine running the DB isn't visible to the internet at all. So I'm going to leave it for now, did the upgrade, no version to go with it, so meh.

By: Paul

Paul — Wed, 14 Sep 2016 14:03:04 +0000

In reply to PLR. If you have upgraded and restarted mysqld, then see what select @@VERSION says Some repository maintainers do not bump the stated version number when they are backporting fixes (ie redhat are notable for this)

By: Paul

Paul — Wed, 14 Sep 2016 14:02:40 +0000

In reply to Paul. Sorry, ignore this. I replied to the wrong comment :-)

By: Paul

Paul — Wed, 14 Sep 2016 14:02:02 +0000

In reply to Dmitry Pupking. If you have upgraded and restarted mysqld, then see what select @@VERSION says Some repository maintainers do not bump the stated version number when they are backporting fixes (ie redhat are notable for this)

By: PLR

PLR — Wed, 14 Sep 2016 13:35:47 +0000

In reply to Rasmus. I just ran an update on my Debian install and the version reported is 10.0.26 still, even though there was an update for the MariaDB client and server that ran. Has Debian pushed packages out yet after Aug 25 update?

By: Dmitry Pupking

Dmitry Pupking — Wed, 14 Sep 2016 13:21:29 +0000

In reply to Michael. Hi! I'm interesting the same question. Is 5.1 branch also affected? I use CentOS 6.6 and in repository exists only this version of MySQL.