Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-6662

Опубликовано: 12 сент. 2016
Источник: redhat
CVSS3: 9.8
CVSS2: 7.1
EPSS Высокий

Описание

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.

Отчет

All MySQL and MariaDB packages in Red Hat Enterprise Linux and Red Hat Software Collections install the my.cnf configuration file in /etc as root-owned and not writeable to mysqld's mysql user. This default configuration stops the published exploit for this issue. All MySQL and MariaDB packages for Red Hat Enterprise Linux 7 (either those directly included in Red Hat Enterprise Linux 7 or from Red Hat Software Collections for Red Hat Enterprise Linux 7) run mysqld_safe with mysql user privileges and not root privileges, limiting the potential impact to code execution as mysql system user. The MySQL 5.1 packages in Red Hat Enterprise Linux 6 do not implement support for library preloading, completely preventing the remote attack vector used by the published exploit. For additional details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1375198#c12

Меры по смягчению последствий

  • Ensure all MySQL / MariaDB configuration files are not writeable to the mysql user. This is the default configuration in Red Hat products.
  • Ensure that non-administrative database users are not granted FILE privilege. Applications accessing data in MySQL / MariaDB databases, including web application potentially vulnerable to SQL injections, should use database accounts with the lowest privileges required.
  • If FILE permission needs to be granted to some non-administrative database users, use secure_file_priv setting to limit where files can be written to or read from.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5mysqlNot affected
Red Hat Enterprise Linux 5mysql55-mysqlWill not fix
Red Hat Mobile Application Platform 4millicoreNot affected
Red Hat OpenStack Platform 10 (Newton)mariadb-galeraNot affected
Red Hat Enterprise Linux 6mysqlFixedRHSA-2017:018424.01.2017
Red Hat Enterprise Linux 7mariadbFixedRHSA-2016:259503.11.2016
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6mariadb-galeraFixedRHSA-2016:205813.10.2016
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7mariadb-galeraFixedRHSA-2016:205913.10.2016
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7mariadb-galeraFixedRHSA-2016:206013.10.2016
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7mariadb-galeraFixedRHSA-2016:206113.10.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-732
https://bugzilla.redhat.com/show_bug.cgi?id=1375198mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)

EPSS

Процентиль: 100%
0.89167
Высокий

9.8 Critical

CVSS3

7.1 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-6662

CVSS3: 9.8
ubuntu
почти 9 лет назад

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

nvd логотип

CVE-2016-6662

CVSS3: 9.8
nvd
почти 9 лет назад

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

debian логотип

CVE-2016-6662

CVSS3: 9.8
debian
почти 9 лет назад

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5 ...

suse-cvrf логотип

openSUSE-SU-2016:2448-1

suse-cvrf
почти 9 лет назад

Security update for mariadb

suse-cvrf логотип

SUSE-SU-2016:2404-1

suse-cvrf
почти 9 лет назад

Security update for mariadb

EPSS

Процентиль: 100%
0.89167
Высокий

9.8 Critical

CVSS3

7.1 High

CVSS2