News began circulating yesterday that the popular open source database MySQL contains a publicly disclosed vulnerability that could be used to compromise servers. The flaw was discovered by researcher Dawid Golunski and began getting media attention after he published a partial proof-of-concept of the exploit, which is purposefully incomplete to prevent abuse. He said the exploit affects "all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions." In addition, MariaDB and Percona DB which are derived from MySQL are affected.
News reports issued yesterday indicated that MariaDB and Percona DB, had already issued patches for the vulnerability, but that Oracle controlled MySQL had not, even though the company had been notified of the vulnerability by Golunski on July 29. However, a report this morning from The Register says that Oracle had "quietly" issued patches on September 6, with links to patched versions 5.5.52, 5.6.33 and 5.7.15.
According to Golunski, the bug, being tracked as CVE-2016-6662, can be executed by an attacker with an authenticated connection to the server's MySQL service, which isn't uncommon with shared hosting services, or by utilizing an SQL injection vulnerability.
There has been criticism on some forums over the disclosure, as well as debate on whether this is a remote control execution vulnerability or a privilege escalation issue. Golunski's reason for going public were addressed in the post that included the proof-of-concept, which revolved around Oracle's supposed lack of action.
"During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers," he wrote.
"As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor's next CPU update that only happens at the end of October."
October is when Oracle, which so far has not commented on the issue, has scheduled its next quarterly set of security updates to be released.