Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Bug Databases IT

Two Critical MySQL Bugs Discovered ( 70

An anonymous reader quotes InfoWorld: Two critical privilege escalation vulnerabilities in MySQL, MariaDB, and PerconaDB can help take control of the whole server, which is very bad for shared environments... Administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database... The first vulnerability, a privilege escalation/race condition flaw, gives elevated privileges to a local system user with access to a database and allows them to execute arbitrary code as the database system user. This gives an attacker access to all of the databases on the affected server... The privilege escalation/race condition flaw can be chained with another critical vulnerability, a root privilege escalation vulnerability, to further elevate the system level user to gain root on the server.
This discussion has been archived. No new comments can be posted.

Two Critical MySQL Bugs Discovered

Comments Filter:
  • by 110010001000 ( 697113 ) on Saturday November 05, 2016 @12:39PM (#53218939) Homepage Journal
    Oracle is unbreakable.

    • Re: (Score:2, Insightful)

      by Lisandro ( 799651 )

      The sad thing is, Oracle is still by far the best RDBMS out there. Sometimes you do get what you pay for.

      • nonsense, shill-boy, plenty of superior DBMS out there that even scale better than Oracle, such as DB2.

        Besides Oracle is now shaky and unstable, I had to put in a few hours this weekend because of long standing bugs they've yet to fix.

        Add to that their goons "audit" a customer like mafia thugs, claiming the customer has to even pay for hardware where Oracle doesn't run because it might run there! Then the customer has to either pay up or buy Oracle hardware.

        The sad thing is that Oracle is circling the drai

      • by ebvwfbw ( 864834 )

        Sounds like you aren't the one paying the bills.

        Buy it sometime for a business and tell me how great it is.

      • by ebvwfbw ( 864834 )

        Oh, and then ask for some of the support that you paid for. I'm not paying for it, I see the bills and I'm still really upset. Their customer service is crap. Their attitude is crap, especially when it comes to security. They don't care.

        I'll stop there or I'd be typing all night. Wherever Oracle is, they really should have a parking space with my name on it as a sponsor.

    • my employer uses it for mission critical systems. sadly, it breaks. I remember back when it could have uptime in years, but that's not now

  • MySQL runs a thread or process as root? Why?

    • Hey, root access makes things easier. People are just lazy...

    • Re:WTF (Score:4, Informative)

      by XXeR ( 447912 ) on Saturday November 05, 2016 @01:41PM (#53219197)

      MySQL runs a thread or process as root? Why?

      It doesn't. Read the hack, it's using a symlink attack on error.log to gain access to an arbitrary root owned file.

  • by Anonymous Coward

    MySQL is not webscale. Why didn't you use MongoDB? MongoDB is a web scale database, and doesn't use SQL or JOINs, so it's high-performance. Everybody knows that relational databases don't scale because they use JOINs and write to disk. Relational databases weren't built for web scale. MongoDB handles web scale. You turn it on and it scales right up. MySQL is slow as a dog. MongoDB will run circles around MySQL because MongoDB is web scale.

  • by Zontar The Mindless ( 9002 ) <> on Saturday November 05, 2016 @02:56PM (#53219481) Homepage

    Both of these vulnerabilities were fixed in MySQL two [] months [] ago []. I assume MariaDB and Percona have long since applied the patches as well.

    So the big takeaway here is, "If you've not upgraded to the latest release yet, why the hell not?"

    • Has everyone actually applied these patches, though? I'd imagine that AWS has already patches all of their RDS instances that they manage for companies, but have all of the smaller organizations that use MySQL as an embedded database?

      • All they need to do is upgrade to the latest release. I believe there has actually been another release in each current series (5.5, 5.6, 5.7) since the releases incorporating the fix.

        I still think it's a slow news day at InfoWorld.

  • And use jails. I don't seem to have this problem. Oh what is this SystemD I keep hearing about too?

  • Can someone explain to me if it is common practice to expose the IP address of the SQL data base server? I've set up MySQL a couple of times but I'm no expert but that just seems like asking for it to me.

All Finagle Laws may be bypassed by learning the simple art of doing without thinking.