Two Critical MySQL Bugs Discovered (infoworld.com) 70
An anonymous reader quotes InfoWorld:
Two critical privilege escalation vulnerabilities in MySQL, MariaDB, and PerconaDB can help take control of the whole server, which is very bad for shared environments... Administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database...
The first vulnerability, a privilege escalation/race condition flaw, gives elevated privileges to a local system user with access to a database and allows them to execute arbitrary code as the database system user. This gives an attacker access to all of the databases on the affected server... The privilege escalation/race condition flaw can be chained with another critical vulnerability, a root privilege escalation vulnerability, to further elevate the system level user to gain root on the server.
I recommend Oracle (Score:3, Funny)
Signed,
Larry
Re: (Score:2, Insightful)
The sad thing is, Oracle is still by far the best RDBMS out there. Sometimes you do get what you pay for.
Re: (Score:2)
OP was referring to an Oracle advertising campaign from earlier this millenium - they referred to their database as "unbreakable".
It ended up being a rather short campaign for obvious reasons...
Re: (Score:2)
nonsense, shill-boy, plenty of superior DBMS out there that even scale better than Oracle, such as DB2.
Besides Oracle is now shaky and unstable, I had to put in a few hours this weekend because of long standing bugs they've yet to fix.
Add to that their goons "audit" a customer like mafia thugs, claiming the customer has to even pay for hardware where Oracle doesn't run because it might run there! Then the customer has to either pay up or buy Oracle hardware.
The sad thing is that Oracle is circling the drai
Re: (Score:1)
Sounds like you aren't the one paying the bills.
Buy it sometime for a business and tell me how great it is.
Re: (Score:1)
Oh, and then ask for some of the support that you paid for. I'm not paying for it, I see the bills and I'm still really upset. Their customer service is crap. Their attitude is crap, especially when it comes to security. They don't care.
I'll stop there or I'd be typing all night. Wherever Oracle is, they really should have a parking space with my name on it as a sponsor.
Re: (Score:2)
my employer uses it for mission critical systems. sadly, it breaks. I remember back when it could have uptime in years, but that's not now
WTF (Score:1)
MySQL runs a thread or process as root? Why?
Re: (Score:2)
Hey, root access makes things easier. People are just lazy...
Re:WTF (Score:4, Informative)
MySQL runs a thread or process as root? Why?
It doesn't. Read the hack, it's using a symlink attack on error.log to gain access to an arbitrary root owned file.
Re: (Score:2)
Re: (Score:2)
The second exploit relies on mysqld_safe (sic) being run as root, otherwise the whole thing falls flat: you can make error_log a symlink to /etc/ld.so.preload as much as you like, but you won't be able to chown the latter and overwrite it.
Re: (Score:2)
The only thing I know about MySQL is to 'run away'. _Never_ take jobs/contracts at companies that incompetent.
If MySQL wasn't leaking root privileges it would be an OS bug. For MySQL to leak it, it has to have it.
Re: (Score:3)
What kind of kindergarten shit is this?
Well, it's mostly people who don't know any better (ie, the vast majority). If you need a relational database, you want real SQL like Postgres. If you're happy with a flat store, there are more efficient solutions that don't pretend to be SQL.
Re: (Score:1)
Nobody who cares about their data uses innodb. I guess you've never experienced any type of file corruption. The makers of innodb cannot be bothered to write tools to detect errors, much less do anything about them. "Get database dumps" is the wrong fucking answer! All it takes is a single bit getting flipped to ruin an entire datastore -- which can be multiple databases.
Re: (Score:2)
It's not a binary toggle.You shouldn't provide unfettered shell access on your server to your users unless it's necessary for the function of that server. And, if it is, running your database from that same server is unwise.
Re: (Score:1)
Ingres.
Re: (Score:2)
MySQL and its metastases is just non-standard enough. Once you use it, you're stuck with it or you get to start over.
Re: (Score:1)
Indeedy, I learnt Postgres over ten years ago, when 8.0 was current.
I chose it largely because people were touting it as better than MySQL. I didn't know any SQL back then, but I had a fairly simple PHP/MySQL app I could port over. The porting taught me quite a bit.
Today, if I were to start from zero again and had the time, I'd learn Firebird. Not that there's anything wrong with Pg, I'd do it just out of curiosity. If the Moscow stock exchange runs it, it must be pretty damn powerful ...
Re: (Score:2)
Multi-master replication across multiple datacenters for high availability and low latency reads. How many databases have this feature right now?
Re:Seriously who? Postgresql (Score:3)
https://2ndquadrant.com/en/res... [2ndquadrant.com]
You're welcome.
Re: (Score:1)
Re:Seriously who? Postgresql-XC (Score:3)
Postgresql-XC http://postgres-xc.sourceforge... [sourceforge.net]
You're welcome.
MySQL is not webscale (Score:1, Funny)
MySQL is not webscale. Why didn't you use MongoDB? MongoDB is a web scale database, and doesn't use SQL or JOINs, so it's high-performance. Everybody knows that relational databases don't scale because they use JOINs and write to disk. Relational databases weren't built for web scale. MongoDB handles web scale. You turn it on and it scales right up. MySQL is slow as a dog. MongoDB will run circles around MySQL because MongoDB is web scale.
Re: (Score:1)
High performance is no use with poor functionality (Score:2, Informative)
Sure , MongoDB is fast. But having used it after spending years with relational DBs my opinion of it is its a little more than a toy thats one step up from a flat file and is bascially a throwback to what existed back in the 70s before RDBs came along.
If all you want is a key value store then knock yourself out, but if you want proper relational operations - and don't say they're not important, they damn well are in any serious business data - then forget it. Mongo has some relational operators hacked in an
Re:High performance is no use with poor functional (Score:5, Insightful)
Apparently you are unaware of this... https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Youtube's automatic captioning works beautifully with that computer-generated voices.
Re: (Score:2)
Sure , MongoDB is fast.
The problem with Mongo is that it's ruled by Ming the Merciless.
On the other hand, MySQL is ruled by Larry Ellison, so..... euh, Mongo it is then.
Old news (even for Slashdot) (Score:5, Informative)
Both of these vulnerabilities were fixed in MySQL two [mysql.com] months [mysql.com] ago [mysql.com]. I assume MariaDB and Percona have long since applied the patches as well.
So the big takeaway here is, "If you've not upgraded to the latest release yet, why the hell not?"
Re: (Score:2)
Has everyone actually applied these patches, though? I'd imagine that AWS has already patches all of their RDS instances that they manage for companies, but have all of the smaller organizations that use MySQL as an embedded database?
Re: (Score:2)
All they need to do is upgrade to the latest release. I believe there has actually been another release in each current series (5.5, 5.6, 5.7) since the releases incorporating the fix.
I still think it's a slow news day at InfoWorld.
I use Freebsd (Score:2)
And use jails. I don't seem to have this problem. Oh what is this SystemD I keep hearing about too?
Public IP Address? (Score:1)