Multiple severe vulnerabilities affecting MySQL and it’s forks were discovered by researcher, Dawid Golunski according to Helpnetsecurity. One of the vulnerabilities – CVE-2016-6662 – can be used to make malicious settings in the MySQL configuration file or create a new configuration file, allowing execution of arbitrary code with root access when the service is restarted. The vulnerability.
Golunski explained in an advisory published on Monday, that “The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,”
Oracle is yet to release a fix for these issues even though Golunski reported to the issues to them in late July. MySQL forks, Percona and MariaDB have pushed out new releases that addresses the CVE-2016-6662.
Golunski advised, “As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,”