Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Critical MySQL Bugs Discovered (infoworld.com)

Posted by EditorDavid on from the debasing-the-database dept.

An anonymous reader quotes InfoWorld: Two critical privilege escalation vulnerabilities in MySQL, MariaDB, and PerconaDB can help take control of the whole server, which is very bad for shared environments... Administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database... The first vulnerability, a privilege escalation/race condition flaw, gives elevated privileges to a local system user with access to a database and allows them to execute arbitrary code as the database system user. This gives an attacker access to all of the databases on the affected server... The privilege escalation/race condition flaw can be chained with another critical vulnerability, a root privilege escalation vulnerability, to further elevate the system level user to gain root on the server.

70 comments

  1. I recommend Oracle by 110010001000 · · Score: 3, Funny

    Oracle is unbreakable.

    Signed,
    Larry

    1. Re:I recommend Oracle by Lisandro · · Score: 1, Insightful

      The sad thing is, Oracle is still by far the best RDBMS out there. Sometimes you do get what you pay for.

    2. Re: I recommend Oracle by Anonymous Coward · · Score: 0

      I have seen Oracle break very badly. Those bugs had to do have been fixed but I'm sure that even today oracle is far from unbreakable. It might be more unbreakable than others but I'm not sure the quality difference is worth the drawbacks of doing business with Oracle.

    3. Re:I recommend Oracle by MiliusXP · · Score: 0

      It's true, they are making an Unbreakable Enterprise Kernel

    4. Re: I recommend Oracle by 93+Escort+Wagon · · Score: 1

      OP was referring to an Oracle advertising campaign from earlier this millenium - they referred to their database as "unbreakable".

      It ended up being a rather short campaign for obvious reasons...

      --
      #DeleteChrome
    5. Re:I recommend Oracle by Anonymous Coward · · Score: 0

      At the risk of feeding into yet another software platform holy war, I've been using PostgreSQL across a large number of environments, with very diverse needs and datasets ranging from a few megabytes to multiple petabytes, for many years. A number of those environments were once Oracle shops, and plenty of things improved dramatically after they elected to dump Oracle. -PCP

      Captcha: struggle

    6. Re:I recommend Oracle by rubycodez · · Score: 1

      nonsense, shill-boy, plenty of superior DBMS out there that even scale better than Oracle, such as DB2.

      Besides Oracle is now shaky and unstable, I had to put in a few hours this weekend because of long standing bugs they've yet to fix.

      Add to that their goons "audit" a customer like mafia thugs, claiming the customer has to even pay for hardware where Oracle doesn't run because it might run there! Then the customer has to either pay up or buy Oracle hardware.

      The sad thing is that Oracle is circling the drain, no one should be using it.

    7. Re:I recommend Oracle by rubycodez · · Score: 1

      my employer uses it for mission critical systems. sadly, it breaks. I remember back when it could have uptime in years, but that's not now

    8. Re:I recommend Oracle by ebvwfbw · · Score: 1

      Sounds like you aren't the one paying the bills.

      Buy it sometime for a business and tell me how great it is.

    9. Re:I recommend Oracle by ebvwfbw · · Score: 1

      Oh, and then ask for some of the support that you paid for. I'm not paying for it, I see the bills and I'm still really upset. Their customer service is crap. Their attitude is crap, especially when it comes to security. They don't care.

      I'll stop there or I'd be typing all night. Wherever Oracle is, they really should have a parking space with my name on it as a sponsor.

  2. WTF by HornWumpus · · Score: 0

    MySQL runs a thread or process as root? Why?

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    1. Re:WTF by Anonymous Coward · · Score: 0

      Ask that imbecile monty

    2. Re:WTF by Anonymous Coward · · Score: 0

      Indeed. Thats absurd,

    3. Re:WTF by Lisandro · · Score: 1

      Hey, root access makes things easier. People are just lazy...

    4. Re:WTF by XXeR · · Score: 3, Informative

      MySQL runs a thread or process as root? Why?

      It doesn't. Read the hack, it's using a symlink attack on error.log to gain access to an arbitrary root owned file.

    5. Re:WTF by Anonymous Coward · · Score: 0

      MySQL does not, by default, run as root. I guess the bigger WTF is why you would think it does.

    6. Re: WTF by Anonymous Coward · · Score: 0

      WTF...a DB user can tell the engine where to put a file?

      WTF. ..Mysql backs tables with individual files?

      What kind of kindergarten shit is this?

    7. Re: WTF by KiloByte · · Score: 2

      What kind of kindergarten shit is this?

      Well, it's mostly people who don't know any better (ie, the vast majority). If you need a relational database, you want real SQL like Postgres. If you're happy with a flat store, there are more efficient solutions that don't pretend to be SQL.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    8. Re: WTF by Anonymous Coward · · Score: 0

      If you don't think that PostgreSQL or any other sql for that matter stores tables differently then you're in for a big surprise.

    9. Re: WTF by Anonymous Coward · · Score: 0

      WTF...a DB user can tell the engine where to put a file?

      You need the FILE or SUPER privilege for that.
      PostgreSQL appears to have the same kind of thing:
      http://stackoverflow.com/questions/1517635/save-pl-pgsql-output-from-postgresql-to-a-csv-file

      WTF. ..Mysql backs tables with individual files?

      In the very old database engine (MYISAM) that nobody should be using unless they sort of know what they're doing, yes. In InnoDB, usually no, though you change the settings to use one file per table.

    10. Re: WTF by Anonymous Coward · · Score: 0

      One file per table is the default for InnoDB since MySQL 5.6.6. It is far more convenient than a single datafile in my experience. Have a look at the doc if you are interested https://dev.mysql.com/doc/refman/5.7/en/innodb-multiple-tablespaces.html

    11. Re:WTF by Anonymuous+Coward · · Score: 1

      No shit. How is mysqld_safe able to chown that file if it's not running as root?

    12. Re:WTF by Anonymuous+Coward · · Score: 1
      Because it does?

      The second exploit relies on mysqld_safe (sic) being run as root, otherwise the whole thing falls flat: you can make error_log a symlink to /etc/ld.so.preload as much as you like, but you won't be able to chown the latter and overwrite it.

    13. Re:WTF by HornWumpus · · Score: 1

      The only thing I know about MySQL is to 'run away'. _Never_ take jobs/contracts at companies that incompetent.

      If MySQL wasn't leaking root privileges it would be an OS bug. For MySQL to leak it, it has to have it.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    14. Re: WTF by Anonymous Coward · · Score: 0

      MySQL may run as root if the admin is a n00b. Otherwise nope, not even by default. Apt-get install for yourself and check. Stop saying foolish things.

    15. Re: WTF by Cramer · · Score: 1

      Nobody who cares about their data uses innodb. I guess you've never experienced any type of file corruption. The makers of innodb cannot be bothered to write tools to detect errors, much less do anything about them. "Get database dumps" is the wrong fucking answer! All it takes is a single bit getting flipped to ruin an entire datastore -- which can be multiple databases.

  3. okay by Anonymous Coward · · Score: 0

    So an exploit usable after you've gained local access?

    1. Re: okay by Anonymous Coward · · Score: 0

      That's still bad. Not everyone runs all of their compute environments from the personal server in their mothers basement.

    2. Re: okay by 93+Escort+Wagon · · Score: 1

      It's not a binary toggle.You shouldn't provide unfettered shell access on your server to your users unless it's necessary for the function of that server. And, if it is, running your database from that same server is unwise.

      --
      #DeleteChrome
  4. MySQL is not webscale by Anonymous Coward · · Score: 1, Funny

    MySQL is not webscale. Why didn't you use MongoDB? MongoDB is a web scale database, and doesn't use SQL or JOINs, so it's high-performance. Everybody knows that relational databases don't scale because they use JOINs and write to disk. Relational databases weren't built for web scale. MongoDB handles web scale. You turn it on and it scales right up. MySQL is slow as a dog. MongoDB will run circles around MySQL because MongoDB is web scale.

    1. Re: MySQL is not webscale by Anonymous Coward · · Score: 0

      your mom is webscale

    2. Re:MySQL is not webscale by 110010001000 · · Score: 1

      Webscale is so 2010. The real question is: is it cloud based?

    3. Re: MySQL is not webscale by Anonymous Coward · · Score: 0

      Not every do project people want to do is we scale, either.

    4. Re: MySQL is not webscale by Anonymous Coward · · Score: 0

      Only luddite clouds scale the Web.

    5. Re: MySQL is not webscale by Anonymous Coward · · Score: 0

      His mom uses a truck scale. Fat bitch.

    6. Re:MySQL is not webscale by Anonymous Coward · · Score: 0

      For those out of the loop, here's the reference.

  5. Wondering by Anonymous Coward · · Score: 0

    Wondering, how this can be used to help me get a date with Ariel Winter?

    1. Re:Wondering by Anonymous Coward · · Score: 0

      Unleash little Bobby Tables on her school to schedule up a date with you.

    2. Re: Wondering by Anonymous Coward · · Score: 0

      Have you tried rape?

    3. Re: Wondering by Anonymous Coward · · Score: 0

      Triggered

    4. Re: Wondering by Anonymous Coward · · Score: 0

      Does MongoDB support triggers? It must if it's web scale.

  6. Re: Seriously who by Anonymous Coward · · Score: 0

    Apart from Postgres, I don't know any other. Care to share some names?

    People use MySQL because that's what providers make available to them on cheap hosting solutions.

  7. High performance is no use with poor functionality by Viol8 · · Score: 2, Informative

    Sure , MongoDB is fast. But having used it after spending years with relational DBs my opinion of it is its a little more than a toy thats one step up from a flat file and is bascially a throwback to what existed back in the 70s before RDBs came along.

    If all you want is a key value store then knock yourself out, but if you want proper relational operations - and don't say they're not important, they damn well are in any serious business data - then forget it. Mongo has some relational operators hacked in and the latest versions can do a piss poor simulcra of a join between collections but these can't use an index so are essentially useless for high speed operations. Also Mongo doesn't support transactions making dirty reads possible and hence its useless for simultanious multiclient operations on critical data. And don't get me started on its hideous bastard stepchild of javascript command line making even the simplest query a PITA exercise in bracket counting.

    "MongoDB will run circles around MySQL because MongoDB is web scale."

    Dishing up noddy website data is pretty much all its any use for.

  8. Re:Seriously who by HornWumpus · · Score: 1

    MySQL and its metastases is just non-standard enough. Once you use it, you're stuck with it or you get to start over.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  9. Re: Seriously who by Anonymous Coward · · Score: 0

    Firebird.

    SQLite works too but it doesn't exactly run as a server ...

  10. Re:Seriously who by Anonymous Coward · · Score: 1

    Indeedy, I learnt Postgres over ten years ago, when 8.0 was current.

    I chose it largely because people were touting it as better than MySQL. I didn't know any SQL back then, but I had a fairly simple PHP/MySQL app I could port over. The porting taught me quite a bit.

    Today, if I were to start from zero again and had the time, I'd learn Firebird. Not that there's anything wrong with Pg, I'd do it just out of curiosity. If the Moscow stock exchange runs it, it must be pretty damn powerful ...

  11. Re:Seriously who by darkain · · Score: 1

    Multi-master replication across multiple datacenters for high availability and low latency reads. How many databases have this feature right now?

  12. Re:High performance is no use with poor functional by darkain · · Score: 4, Insightful

    Apparently you are unaware of this... https://www.youtube.com/watch?...

  13. Re:High performance is no use with poor functional by Anonymous Coward · · Score: 0

    I tip my hat to you, Sir. Thank you for saying all that.

  14. Re: Seriously who by Anonymous Coward · · Score: 0

    The ones that aren't free.

  15. Re:High performance is no use with poor functional by Anonymous Coward · · Score: 0

    Is there a transcript available?

    English is not my first language and I'm having a lot of trouble making out the computer-synthesised voices ...

  16. Re: Seriously who by dgatwood · · Score: 0

    Ingres.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  17. Old news (even for Slashdot) by Zontar+The+Mindless · · Score: 5, Informative

    Both of these vulnerabilities were fixed in MySQL two months ago. I assume MariaDB and Percona have long since applied the patches as well.

    So the big takeaway here is, "If you've not upgraded to the latest release yet, why the hell not?"

    --
    Il n'y a pas de Planet B.
    1. Re:Old news (even for Slashdot) by supremebob · · Score: 1

      Has everyone actually applied these patches, though? I'd imagine that AWS has already patches all of their RDS instances that they manage for companies, but have all of the smaller organizations that use MySQL as an embedded database?

    2. Re:Old news (even for Slashdot) by Zontar+The+Mindless · · Score: 1

      All they need to do is upgrade to the latest release. I believe there has actually been another release in each current series (5.5, 5.6, 5.7) since the releases incorporating the fix.

      I still think it's a slow news day at InfoWorld.

      --
      Il n'y a pas de Planet B.
    3. Re:Old news (even for Slashdot) by Anonymous Coward · · Score: 0

      So the big takeaway here is, "If you've not upgraded to the latest release yet, why the hell not?"

      Developers.

      At least, that's what I'm looking at right now.

      The team[-1] was all about "velocity". Features delivery was king. Cleverness was worshipped.

      Mistakes were made.

      No data-access layer. SQL assembled from pieces, instead of parameterized queries. Database logic mixed up with XML logic mixed up with business logic everywhere.

      So the current team of developers now have the job of figuring out why the application becomes unstable if a newer version of MySQL is used.

      They haven't figured it out yet.

      But until they do, no upgrades.

      At least the code has improved to where it's not an SQL-injection training tool anymore.

    4. Re: Old news (even for Slashdot) by Anonymous Coward · · Score: 0

      I'm guessing you've never dealt with mission critical change control. In some cases it's not case of when, but if. They're too scared that the update will introduce new bugs.

  18. Re:High performance is no use with poor functional by Lisandro · · Score: 1

    Youtube's automatic captioning works beautifully with that computer-generated voices.

  19. Re:Seriously who? Postgresql by mpapet · · Score: 2

    https://2ndquadrant.com/en/res...

    You're welcome.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  20. Re:Seriously who? Postgresql-XC by mpapet · · Score: 2

    Postgresql-XC http://postgres-xc.sourceforge...

    You're welcome.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  21. Re:Seriously who by Anonymous Coward · · Score: 0

    People use MySQL mostly because of habit or name recognition; but also because it's very hard for most people to tell the difference between a correctly implemented RDBMS and an RDBMS that has a 1/10000 chance of randomly corrupting your data. You can cite a long list of things that are wrong with MySQL implemented better in Postgres, but for the average developer who just wants to write a web app and knows little about SQL, it's all too abstract. "Who cares, I've used MySQL for years and never lost data."

  22. Re:Seriously who by Anonymous Coward · · Score: 0

    average developer who just wants to write a web app and knows little about SQL

    It's a shame that so few developers learn SQL beyond the very very basic SELECT, INSERT, UPDATE. They probably don't know about joins, and wouldn't know a transaction if it bit them ...

    Well, I guess that for them, MySQL is a good fit. For the rest of us, real databases exist.

    (OK, OK, I haven't touched MySQL in ages and I guess it must have improved somewhere along the way. It can't be all that bad these days, if you bother to fix the default settings first)

  23. I use Freebsd by Billly+Gates · · Score: 1

    And use jails. I don't seem to have this problem. Oh what is this SystemD I keep hearing about too?

    --
    http://saveie6.com/
  24. Re:High performance is no use with poor functional by Anonymous Coward · · Score: 0

    "If all you want is a key value store then knock yourself out..."

    Yeah, proper tool for the job and all that. "MongoDB is schemaless" my ass. More like "Your schema is enforced in your application code using ad-hoc hand-coded enforcement mechanisms.".

    Are you aware of https://aphyr.com/tags/Jepsen ? Fun reading!

  25. Re:Seriously who? Postgresql by bn-7bc · · Score: 1

    Correct an as soon as they get thr bdr exstension for posgresql 9.6 out rhe dor you will ( if i understtand correctly) need a modified verson of postgres either, just a few config parameters and an extension in the db you wan to repliicate

  26. Re:High performance is no use with poor functional by Dogtanian · · Score: 1

    Sure , MongoDB is fast.

    The problem with Mongo is that it's ruled by Ming the Merciless.

    On the other hand, MySQL is ruled by Larry Ellison, so..... euh, Mongo it is then.

    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  27. Public IP Address? by AlanObject · · Score: 1

    Can someone explain to me if it is common practice to expose the IP address of the SQL data base server? I've set up MySQL a couple of times but I'm no expert but that just seems like asking for it to me.

  28. Re: Seriously who by Anonymous Coward · · Score: 0

    I have developed and admind and MySQL and they both have their place. Pg isn't better at everything. Innodb buffer pool craps over pg's caching. Mysql's replication is better for some situstions. Pg is better at json and geo. Anyone who is regilious about either is a fool.

  29. Hi Microsoft or Oracle...you fail. by Anonymous Coward · · Score: 0

    Obvious propaganda.

    As others have pointed out, it was fixed. And since the creators/inventors of MySQL, created and now working on MariaDB, we arlready know the first thing they did was to fix a bunch of crap they were prevented by Sun/Oracle to fix with MySQL.

    Just say NO to Oracle and Microsoft Sequel Sever.