An attacker with a low-privileged account can also achieve root privilege by first exploiting the Privilege Escalation flaw (CVE-2016-6663) to become 'MySQL system user' and thus allow attackers to fully compromise the targeted server. [thehackernews.com...]
robzilla
7:46 pm on Nov 3, 2016 (gmt 0)
Thanks for the heads up. Went to update, but turns out I'm already running 5.5.53, which is apparently unaffected.
ergophobe
1:15 am on Nov 4, 2016 (gmt 0)
I was on 5.5.52 so I was okay too. I just updated to 5.5.53 as well.
Too late to edit my original post, but for the benefit of others...
Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks — Percona Server and MariaDB.
lammert
7:20 am on Nov 5, 2016 (gmt 0)
Another security post here on WebmasterWorld where the title suggests much more than the real problem and the call to action "Update your servers!" is not applicable to the majority of the webmaster community.
First of all the attacker must be able to create tables on the MySQL server. Secondly the attacker must be able to change a file to a symbolic link to the root MySQL directory during the execution of a MySQL statement repair statement which needs accurate timing. In practice this will only be the case on machines with poorly setup shared hosting accounts where each of the users is not locked in their own directory tree. Those who are on shared hosting won't have the option to upgrade their MySQL implementation anyway.
Therefore the bug only applies to those businesses offering shared hosting on non-root-locked user accounts which are susceptible for many other attacks anyway and should be avoided by any decent webmaster.
robzilla
12:38 pm on Nov 7, 2016 (gmt 0)
Sometimes it's easier to just patch the thing than to figure out whether or not you're actually at risk ;-)
graeme_p
6:12 pm on Nov 7, 2016 (gmt 0)
It looks like it affects MySQL forks (MariaDB and Percona) as well, so it must have been there a while. I hope they have been patched to.
Thanks, @lammert, you answered the questions I wanted to ask.
ergophobe
6:57 pm on Nov 7, 2016 (gmt 0)
Thanks lammert
I had not intended the title to be exaggerated, but the article on Hacker News said "An attacker with a low-privileged account can also achieve root privilege" so that sounded like a fire alarm. Which was probably their intent... click bait. My apologies for a mostly false alarm
I got hammered during Drupageddon. I should have updated immediately, but I decided to wait a bit. But then most drupal installs got hacked in the first day... and it was a burn down the server affair.
MySQL exploit gives root access to server
