The Register has reported that a security hole has been found in MySQL that can be used to gain root access on servers.
The flaws are present in all default installations of MySQL 5.5, 5.6, and 5.7.
By tampering with one of MySQL’s config files to point to a malicious library already on the server, you can set it up so that mysqld_safe, the script file that launches MySQL, loads the library and injects code into the server that could get you remote code execution.
mysqld_safe runs as root even if you have set up MySQL to run under a non-root user. If a web application’s permissions are not locked down on your server, and the MySQL user can write or create new configuration files, one SQL injection vulnerability could turn into a remote root shell for hackers.
You can read more about this security hole on David Golunski’s proof of concept.
If you are on Heart Internet’s shared or Premium hosting platforms, we have already updated our servers and you are not at any risk.
If you have a VPS or Dedicated Server, our Customer Services team is on hand to help you and will be able to implement these patches for a small fee. Please raise a ticket with Customer Services for more information.