MySQL security hole found - please update your servers - Heart Internet Blog - Focusing on all aspects of the web

The Register has reported that a security hole has been found in MySQL that can be used to gain root access on servers.

The flaws are present in all default installations of MySQL 5.5, 5.6, and 5.7.

By tampering with one of MySQL’s config files to point to a malicious library already on the server, you can set it up so that mysqld_safe, the script file that launches MySQL, loads the library and injects code into the server that could get you remote code execution.

mysqld_safe runs as root even if you have set up MySQL to run under a non-root user. If a web application’s permissions are not locked down on your server, and the MySQL user can write or create new configuration files, one SQL injection vulnerability could turn into a remote root shell for hackers.

You can read more about this security hole on David Golunski’s proof of concept.

This security hole also affects MariaDB and PerconaDB, who have both issued fixes for this issue.

Oracle has also updated MySQL to address this. Please update to 5.5.52, 5.6.33, and 5.7.15.

If you are on Heart Internet’s shared or Premium hosting platforms, we have already updated our servers and you are not at any risk.

If you have a VPS or Dedicated Server, our Customer Services team is on hand to help you and will be able to implement these patches for a small fee. Please raise a ticket with Customer Services for more information.

Subscribe to our monthly Heart Internet newsletter, filled with the latest articles about web design, development, building your business, and exclusive offers.

Subscribe now!

Comments

Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Leave a reply

Comments are closed.

Drop us a line 0330 660 0255 or email sales@heartinternet.uk