Sicherheitslücke MYSQL WICHTIG ZERO DAY ADMIN ZUGANG

Also weil es gibt noch keinen HILFE wen aber MYSQL dan aufpassen.
http://legalhackers.com/advisories/MyS…-2016-6662.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662

Wen MARIADB hat bereits in den

Zitat

It (CVE-2016-6662) is fixed in MariaDB 5.5.51, MariaDB 10.0.27 and MariaDB 10.1.17 - wich all are available in

Ich schreibe es hier weil vielen mit ältere Server oft dazu noch ältere MYSQL im einsatz haben.

Weiter den:

Zitat

I think also important to keep a eye on CVE-2016-6663 vulnerability

Zitat

VII. BUSINESS IMPACT
-------------------------

As discussed above the vulnerability could be exploited by attackers with both
privileged and unprivileged (with FILE privilege only) access to mysql accounts.
It could also be combined with CVE-2016-6663 vulnerability which will be released
shortly and could allow certain attackers to escalate their privileges to root
even without FILE privilege.

The vulnerability could also be exploited via an SQL injection vector, which
removes the need for the attackers to have direct mysql connection and increases
the risk of exploitation.

Successful exploitation could gain a attacker a remote shell with root privileges
which would allow them to fully compromise the remote system.

If exploited, the malicious code would run as soon as MySQL daemon gets
restarted. MySQL service restart could happen for a number of reasons.

Alles anzeigen

Aja info MariaDB:
https://mariadb.com/kb/en/mariadb/security/

Weil ZERO DAY BEIDES!
http://www.tecklyfe.com/tag/cve-2016-6663/

Zitat

MySQL Zero-Day Allows An Attacker To Take Full Control Of Database

Also noch ein extra Grund kein MYSQL mehr zu benutzen oder?

Zitat

While MariaDB and PerconaDB have fixed the vulnerabilities and Oracle has not, the researcher today has gone ahead and published the proof-of-concept exploit code for CVE-2016-6662.
The last Critical Patch Update (CPU) released by Oracle was on July
19, 2016. Oracle is on a strict security update release schedule that
rolls out once every three months and the next Oracle CPU update is
scheduled for October 18, 2016.

Sehe den neueste Beitrag von MariaDB

https://mariadb.org/mariadb-server…-cve-2016-6662/

Zitat

MySQL Remote Root Code Execution / Privilege Escalation 0day with CVE code CVE-2016-6662.
It’s a serious vulnerability and we encourage every MariaDB Server user
to read the below update on the vulnerability from a MariaDB point of
view.
The vulnerability can be exploited by both local and remote users.
Both an authenticated connection to or SQL injection in an affected
version of MariaDB Server can be used to exploit the vulnerability. If
successful, a library file could be loaded and executed with root privileges. The vulnerability makes use of the mysqld_safe startup script.

However, if the database user being used has neither SUPER nor FILE privilege or if the user has FILE but –secure-file-priv
is set to isolate the location of import and export operations, the
vulnerability is NOT exploitable. It is always recommended configuration
to not grant SUPER privileges and avoiding granting FILE privileges
without using –secure-file-priv.

Alles anzeigen