The open source MySQL project was previously developed by a Swedish company by the same name, but was later purchased by Sun Microsystems in 2008, and further changed hands when Oracle subsequently bought Sun in 2010. Oracle is yet to respond to the vulnerabilities, but a replacement for MySQL, developed by Monty Program — MariaDB — which is meant to allow administrators to effectively replace the database software as a compatible alternative, have quickly moved to respond.
Monty Program Vice President of Architecture Sergei Golubchik (who also worked at MySQL prior to its purchase by Sun/Oracle) reported on the Open Source Security Mailing List that the first bug, CVE-2012-5611, is a duplicate of an older bug, CVE-2012-5579, which could allow users to crash the SQL instance or execute arbitrary code. It has been patched in the latest version of MariaDB.
However, Golubchik acknowledged that both CVE-2012-5612 and CVE-2012-5614 could cause the SQL instance to crash, and is working on resolving bothissues.
CVE-2012-5615 allows an attacker to confirm whether a certain username is in use by the SQL instance as it immediately responds with "Access denied" if the account does not exist, but provides another response if the account exists, but the supplied credentials are incorrect.
"This is hardly a 'zero-day' issue; it was known for, like, ten years. But I'll see what we can do here," Golubchik wrote. He has since filed the issue with Monty Program developers as a major bug.
As for CVE-2012-5613, it was initially brought to the attention of the Full Disclosure forum as a means to increase the privileges of certain non-administrative users to one with administrative rights. This requires that the non-administrative user be granted the "FILE" privilege to write anywhere in the file system with the same rights as the SQL instance.