On September 12th of this month, MySQL, the #1 database software in the world, suffered a 0-day exposure of a bug of the worst kind. It allows an authenticated remote attacker to take full control of any server running the software, regardless of the user’s privileges in the database. This Escalation of Privilege vulnerability is a serious threat and multi-user databases and servers are at risk of compromise.
MySQL is curated by Oracle Corp. this means that Oracle is in control of the pacing and resources that are devoted to the project. According to Dawid Golunski who found the flaw, Oracle was notified of this vulnerability over 40 days prior and has still not patched the software, exposing millions of websites and services to serious risk. It is speculated that Oracle will patch MySQL against this flaw sometime in mid-October when the next scheduled patch is due to be released.
There are forks of MySQL that are managed by other teams called Percona Server and MariaDB. Both of these teams have patched their forks to fix this vulnerability.
You can find more information about this flaw here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
According to Dawid Golunski, there are additional flaws in MySQL that make execution of this attack substantially easier, and dramatically increasing the risk of this flaw being exploited. He has not disclosed this vulnerability because of the risks involved to the public, but Oracle has made been made aware of them.
Flaws like this one show that widely used free software that makes up the backbone of the internet can still have serious vulnerabilities that can lead to disastrous outcomes. These are the kinds of flaws that we are out to fix through direct auditing, incentives, and research grants.
Support OSTIF by donating today, and support free and open software!