Critical vulnerability found in MySQL (and derivatives) (CVE-2016-6662)

News

Recently a critical vulnerability was found in several MySQL-versions (and derivatives). With this article we want to inform you regarding this vulnerability.

In this article you will read the following:

  1. Background information on this vulnerability:
  2. Vulnerable systems
  3. Installing the update
  4. For more information

 

1. Background information on this vulnerability:

The vulnerability in MySQL can be exploited by a local and remote attacker. The attack can be carried out both via an SQL-injection and by a local authorized access, it allows the attacker to execute random code as the root user.

 

2. Vulnerable systems:

The following systems and versions are vulnerable:

  • MySQL 5.7.15 and lower
  • MySQL 5.6.33 and lower
  • MySQL 5.5.52 and lower
  • MariaDB 5.5.50 and lower
  • MariaDB 10.0.26 and lower
  • MariaDB 10.1.16 and lower
  • Percona Server 5.5.50-38.0 and lower
  • Percona Server 5.6.31-77 and lower
  • Percona Server 5.7.13-6 and lower

Currently only MariaDB and Percona have released updates regarding this vulnerability. MySQL has not released any updates yet and Oracle plans to release an update around mid October. Ubuntu has released updates for their supported distributions. Debian and CentOS currently do not have any updates available but will release updates at a later date.

Is your version older than the versions mentioned above? Then you have to migrate your system to a newer one with a newer supported version. For your system an update will not be released.

 

3. Installing the update:

Is your server managed via a control panel? Use the instructions below to apply the update.

DirectAdmin:

The update can be applied using the "custombuild" system of DirectAdmin. The following commands can be used to update the software list and update MySQL. The commands have to be executed as the root user on the commandline:

/usr/local/directadmin/custombuild/build clean
/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build mysql n
/usr/local/directadmin/custombuild/build php n

cPanel / WHM:

The update can be applied within WHM by logging in as the root user. In the menu on the left choose "Software" followed by "MySQL/MariaDB". Use the instructions provided on-screen.

Not using a control panel? 

Use the following instructions to apply the update via your local package manager. Please use the (online) manual that comes with your package manager. Normally the following commands should be sufficient to apply the update:

Debian / Ubuntu:

apt-get update
apt-get install mysql-server mysql-client

CentOS:
yum update

Applying the updates may vary from several minutes up to 60 minutes and depends on the amount of databases and the load on your server itself. If you are not able to apply the updates tourself you should consult a local engineer for support.

Do you have a SLA2 agreement or higher? In this case it's possible to have the updates installed by CloudVPS within the available SLA-hours.
Please let us know via an email to support@cloudvps.com regarding this article that you are interested in this offer.

 

4. For more information:

More information about the update and vulnerabilities that are fixed can be read by visiting the following URL:

http://www.theregister.co.uk/2016/09/13/mysql_security_bug/

If you have any questions regarding this article please send them to the CloudVPS Servicedesk at support@cloudvps.com. We will try and answer any and all questions you may have.