How to fix Root Privilege Escalation vulnerability (CVE-2016-6664) in MySQL, MariaDB and PerconaDB
MySQL database server is widely used by online businesses to store their critical and valuable data. MariaDB and Percona are other database servers based on MySQL.
But the confidentiality and security of these database servers goes for a toss when one fine morning a vulnerability or exploit in the software gets published.
It was only a couple of months ago that the MySQL vulnerability CVE-2016-6662 ‘Remote Root Code Execution’ / ‘Privilege Escalation’ got revealed.
Two more critical vulnerabilities in MySQL has been revealed recently, which can lead to a server hack by executing arbitrary code and gaining root privilege.
MySQL Root Privilege Escalation vulnerability
Attackers can hack the database server by exploiting two vulnerabilities of the server, which arise due to insecure handling of error logs and other files of MySQL.
The first one is labeled as ‘CVE-2016-6663‘ aka ‘Privilege Escalation / Race Condition‘. Exploiting this vulnerability, a local mysql user can escalate his privileges in the server.
Once a user attains higher privileges, he can execute malicious code in the database server and hack the confidential data in it.
The second vulnerability is ‘CVE-2016-6664‘ or ‘Root Privilege Escalation‘. Hackers who gain access to the less-privileged user accounts can escalate their privilege to root level.
Once a hacker gains root access to the database server, he can compromise the entire server by stealing or destroying confidential and critical data.
This makes the two vulnerabilities critical ones and they need to be fixed without any delay, to avoid any business downtime due to server hacks.
Database servers affected by Root Privilege Escalation vulnerability
MySQL server and its derivatives such as Percona and MariaDB servers are affected by the vulnerability. The versions that are vulnerable are:
How to fix Root Privilege Escalation bug in MySQL
MySQL has fixed the vulnerability in its latest database server versions. To update the latest server version, the steps are:
For RedHat and CentOS servers, ‘yum’ can be used to update MySQL server.
sudo yum update mysql-server
For version changes, the previous version may have to be removed first before installing new version.
In Ubuntu and Debian servers, ‘apt-get’ can be used to update the ‘mysql-server’ package.
After restarting the server after update, executing ‘mysql_upgrade’ helps to check and resolve any incompatibilities between the old data and the upgraded software.
Bobcares provides Outsourced Hosting Support and Outsourced Server Management for online businesses. Our services include Hosting Support Services, server support, help desk support, live chat support and phone support.