Zero-day vulnerability found within MySQL database application

The critical flaw affects all default versions of MySQL and has been disclosed after Oracle failed to patch the flaw promptly.
Written by Charlie Osborne, Contributing Writer

A researcher has disclosed a zero-day flaw in the widely-used MySQL database application after Oracle reportedly failed to patch the critical security hole.

On Monday, independent security researcher Dawid Golunski released his findings through a public security disclosure, stating that over 40 days have passed since the zero-day vulnerability was reported to the vendor.

The bug, CVE-2016-6662, is a privilege escalation flaw which impacts all version branches of MySQL, including 5.7.15, 5.6.33 and 5.5.52, as well as software linked to MySQL, including MariaDB and PerconaDB.

CVE-2016-6662 can be exploited if an attacker has an authenticated connection to MySQL, such as through shared networking or web interfaces. Attackers are able to inject malicious settings into MySQL configuration files, my.cnf, to gain root access and execute additional malicious code.

The previously unknown vulnerability can be exploited by both local and remote attackers and can lead to remote code execution with root privileges, which in turn can grant an attacker the ability to fully compromise a server.

The researcher has also provided proof-of-concept (PoC) code to demonstrate his claims. However, the PoC has been limited -- for now -- as a way to warn users and give Oracle time to issue a fix before a full PoC is released to the public.

The critical flaw was first reported to Oracle on 29 July and was triaged by the company's security team. The flaw was also reported to other vendors affected by the vulnerability, including PerconaDB and MariaDB. PerconaDB and MariaDB have both patched the problem and so users of the two firms' software are now safe from this flaw, but Oracle is yet to push a patch to fix the bug.

"During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers," Golunski says.

"As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor's next CPU update that only happens at the end of October," the researcher added.

See also: Oracle acquires Netsuite in $9.3bn deal

It is worth noting, however, that the disclosure has been met with some debate by those in the security industry.

At the time of writing, no official patches or mitigations are available from Oracle. However, the zero-day may be scheduled for inclusion in Oracle's next patch update, scheduled 18 October.

ZDNet has reached out to Oracle and will update if we hear back.

The best rugged cases for protecting your smartphone

Editorial standards