edit-icon download-icon

[Vulnerability notice] CVE-2016-6662: Arbitrary code execution vulnerability in MySQL

Last Updated: May 07, 2018

Description

The logging feature in MySQL is improperly configured, allowing external attackers to modify my.cnf by using a MySQL account with low permissions (such as SELECT and FILE permissions). This can be leveraged to run arbitrary code.

Attackers can start attacks by exploiting an open MySQL service, a web-based MySQL administration application, or even a web SQL injection vulnerability. Because most of the MySQL services run with the Root account, once hackers successfully exploit this vulnerability, they may have control over the entire server, and can bring about severe harm.

Affected versions

  • MySQL 5.7.x <= 5.7.15
  • MySQL 5.6.x <= 5.6.33
  • MySQL 5.5.x <= 5.5.52
  • MySQL branch versions:
    • MariaDB
    • PerconaDB

Fix

  • Set stronger passwords for all your MySQL accounts. We recommend that you use a strong password that consists of more than 10 characters, and contains numbers, letters, and special symbols.
  • Remove unnecessary FILE permissions for all MySQL accounts.
  • Install the latest patch from the MySQL official website.
Thank you! We've received your feedback.