A researcher has published details and a limited proof-of-concept exploit for a critical vulnerability in MySQL that has been patched by some vendors, but not yet by Oracle. The vulnerability allows an attacker to remotely or locally exploit a vulnerable MySQL database and execute arbitrary code, researcher Dawid Golunski of Legal Hackers wrote today in an advisory.
The flaw affects MySQL 5.7.15, 5.6.33 and 5.5.52. It has been patched in vendor deployments of MySQL in MariaDB and PerconaDB. Golunski said in his advisory that he reported the vulnerability to Oracle and other affected vendors on July 29. MariaDB and PerconaDB patched their versions of the database software before the end of August. Golunski said that since more than 40 days have passed and the two vendor fixes are public, he decided to disclose.
“As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October,” Golunski said. “No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”
A request to Oracle for comment was not returned in time for publication. Oracle’s next quarterly Critical Patch Update is scheduled for Oct. 18; the last one in July addressed a record 276 vulnerabilities across Oracle’s product lines. Golunski said the vulnerability, CVE-2016-6662, can be exploited via SQL injection attack, or by an attacker with valid credentials either locally or over the Web via phpMyAdmin, for example.
“A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running,” Golunski said.