Monday, September 12, 2016

MySQL Security Issue (CVE-2016-6662)

A critical vulnerability that affects all MySQL version branches was recently announced.  

Affected versions are:
MySQL <= 5.7.15
               5.6.33
               5.5.52
MySQL clones (MariaDB, PerconaDB...) are also affected.

This issue allows attackers to inject malicious settings into a MySQL configuration locally and remotely. Both the authenticated access (network connection or web interface) or SQL Injection could be used as exploitation vectors to achieve Remote Root Code Execution. For more information, visit here.

Official patches are not available yet. As temporary mitigations, users should ensure that MySQL config files are not owned by mysql user, and create root-owned dummy my.cnf files that are not in use. This is not a complete solution, we will re-check new MySQL/MariaDB versions when they are available.

We want to let you know that Bitnami Stacks (VMs, Cloud Images, Docker containers and Native Installers) are not affected since our MySQL configuration is not owned by mysql user and we explicitly define the configuration file using the parameter below for starting the service:
             --defaults-files=/opt/bitnami/mysql/my.cnf

So, the creation of any other my.cnf file will be ignored.

Do you have questions about the security issue? Post to our community forum, and we will be happy to help you.