MySQL Zero-Day Allows An Attacker To Take Full Control Of Database » TechWorm

http://www.techworm.net/2016/09/mysql-zero-day-allows-attacker-take-full-control-database.html

Two vulnerabilities found and proof-of-concept code published.

1 Comment

  1. Tomi Engdahl says:

    Bad news: MySQL can dish out root access to cunning miscreants
    Good news: Oracle sneaked some patches out
    http://www.theregister.co.uk/2016/09/13/mysql_security_bug/

    Security holes in MySQL can be abused to gain remote root access on poorly configured servers, it emerged on Monday.

    Patches to fix up the programming blunders were quietly released last week. The flaws are present in all default installations of MySQL 5.5, 5.6 and 5.7. Grab versions 5.5.52, 5.6.33 and 5.7.15 to avoid any trouble.

    The bugs were discovered by Dawid Golunski, who says he reported them to MySQL overseer Oracle on July 29.

    He found that you can misuse an SQL command to write arbitrary text to the open-source database’s configuration files. He has published limited proof-of-concept code showing how to open a remote root shell on a vulnerable installation.

    http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*