Polish security researcher Dawid Golunski discovered two Zero Day, (CVE-2016-6662 and CVE-2016-6663), which work on all current supported MySQL versions. Vulnerabilities allow an attacker to take full control of each database.
Golunski reports that he informed her Oracle for the two vulnerabilities, but also all developers of the MySQL, MariaDB and PerconaDB forks.
Today the researcher after seeing that only those responsible for the development of MariaDB and PerconaDB specified the vulnerabilities ενώ η άμεσα ενδιαφερόμενη company Oracle didn't care, published the PoC of the vulnerability.
It should be mentioned that Oracle adheres to a strict schedule for security updates that are released every three months. The last crucial one information released by Oracle (Critical Patch Update or CPU) was released on July 19.
Golunski reported vulnerabilities in Oracle on July 29 and, according to the researcher, Oracle security team identified the vulnerabilities. But the next Oracle CPU is scheduled for October 18 2016.
"The vulnerabilities have been fixed by PerconaDB and MariaDB developers by the end of August 30," said Golunski.
"During the patch the developers reported public logs and fixed security issues."
"But more than 40 days have passed since the issues were reported and I decided to reveal (with limited PoC) the vulnerabilities to inform users of the risks before the next CPU update comes at the end of October," said the researcher.
Vulnerabilities now:
CVE-2016-6662 allows an attacker, from a remote or local location, to Injectable custom settings in the my.conf configuration file of each MySQL database.
The issue affects only MySQL servers running the default config, and it is triggered after the first restart of the database to read the new settings from my.conf. Database servers often reboot during system updates, and updates to packages.
CVE-2016-6662 now allows attackers to change my.conf file, load third-party code, and run it with root privileges.
Golunski also reports the vulnerability of CVE-2016-6663, which is a variant of CVE-2016-6662. This vulnerability allows remote code execution as root.
The researcher has suggested some temporary solutions to protect servers until Oracle can fix the vulnerabilities in its next CPU.
"A temporary solution is to ensure that there are no MySQL configuration files that belong (rights) to the MySQL user, and to create virtual my.cnf files with unused root permissions."
Golunski says the above is only a temporary solution and that the patches should be applied once released.