Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Critical MySQL Bugs Discovered (infoworld.com)

Posted by EditorDavid on from the debasing-the-database dept.

An anonymous reader quotes InfoWorld: Two critical privilege escalation vulnerabilities in MySQL, MariaDB, and PerconaDB can help take control of the whole server, which is very bad for shared environments... Administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database... The first vulnerability, a privilege escalation/race condition flaw, gives elevated privileges to a local system user with access to a database and allows them to execute arbitrary code as the database system user. This gives an attacker access to all of the databases on the affected server... The privilege escalation/race condition flaw can be chained with another critical vulnerability, a root privilege escalation vulnerability, to further elevate the system level user to gain root on the server.

32 of 70 comments (clear)

  1. I recommend Oracle by 110010001000 · · Score: 3, Funny

    Oracle is unbreakable.

    Signed,
    Larry

    1. Re:I recommend Oracle by Lisandro · · Score: 1, Insightful

      The sad thing is, Oracle is still by far the best RDBMS out there. Sometimes you do get what you pay for.

    2. Re: I recommend Oracle by 93+Escort+Wagon · · Score: 1

      OP was referring to an Oracle advertising campaign from earlier this millenium - they referred to their database as "unbreakable".

      It ended up being a rather short campaign for obvious reasons...

      --
      #DeleteChrome
    3. Re:I recommend Oracle by rubycodez · · Score: 1

      nonsense, shill-boy, plenty of superior DBMS out there that even scale better than Oracle, such as DB2.

      Besides Oracle is now shaky and unstable, I had to put in a few hours this weekend because of long standing bugs they've yet to fix.

      Add to that their goons "audit" a customer like mafia thugs, claiming the customer has to even pay for hardware where Oracle doesn't run because it might run there! Then the customer has to either pay up or buy Oracle hardware.

      The sad thing is that Oracle is circling the drain, no one should be using it.

    4. Re:I recommend Oracle by rubycodez · · Score: 1

      my employer uses it for mission critical systems. sadly, it breaks. I remember back when it could have uptime in years, but that's not now

    5. Re:I recommend Oracle by ebvwfbw · · Score: 1

      Sounds like you aren't the one paying the bills.

      Buy it sometime for a business and tell me how great it is.

    6. Re:I recommend Oracle by ebvwfbw · · Score: 1

      Oh, and then ask for some of the support that you paid for. I'm not paying for it, I see the bills and I'm still really upset. Their customer service is crap. Their attitude is crap, especially when it comes to security. They don't care.

      I'll stop there or I'd be typing all night. Wherever Oracle is, they really should have a parking space with my name on it as a sponsor.

  2. Re:WTF by Lisandro · · Score: 1

    Hey, root access makes things easier. People are just lazy...

  3. MySQL is not webscale by Anonymous Coward · · Score: 1, Funny

    MySQL is not webscale. Why didn't you use MongoDB? MongoDB is a web scale database, and doesn't use SQL or JOINs, so it's high-performance. Everybody knows that relational databases don't scale because they use JOINs and write to disk. Relational databases weren't built for web scale. MongoDB handles web scale. You turn it on and it scales right up. MySQL is slow as a dog. MongoDB will run circles around MySQL because MongoDB is web scale.

    1. Re:MySQL is not webscale by 110010001000 · · Score: 1

      Webscale is so 2010. The real question is: is it cloud based?

  4. High performance is no use with poor functionality by Viol8 · · Score: 2, Informative

    Sure , MongoDB is fast. But having used it after spending years with relational DBs my opinion of it is its a little more than a toy thats one step up from a flat file and is bascially a throwback to what existed back in the 70s before RDBs came along.

    If all you want is a key value store then knock yourself out, but if you want proper relational operations - and don't say they're not important, they damn well are in any serious business data - then forget it. Mongo has some relational operators hacked in and the latest versions can do a piss poor simulcra of a join between collections but these can't use an index so are essentially useless for high speed operations. Also Mongo doesn't support transactions making dirty reads possible and hence its useless for simultanious multiclient operations on critical data. And don't get me started on its hideous bastard stepchild of javascript command line making even the simplest query a PITA exercise in bracket counting.

    "MongoDB will run circles around MySQL because MongoDB is web scale."

    Dishing up noddy website data is pretty much all its any use for.

  5. Re:Seriously who by HornWumpus · · Score: 1

    MySQL and its metastases is just non-standard enough. Once you use it, you're stuck with it or you get to start over.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  6. Re:Seriously who by Anonymous Coward · · Score: 1

    Indeedy, I learnt Postgres over ten years ago, when 8.0 was current.

    I chose it largely because people were touting it as better than MySQL. I didn't know any SQL back then, but I had a fairly simple PHP/MySQL app I could port over. The porting taught me quite a bit.

    Today, if I were to start from zero again and had the time, I'd learn Firebird. Not that there's anything wrong with Pg, I'd do it just out of curiosity. If the Moscow stock exchange runs it, it must be pretty damn powerful ...

  7. Re:WTF by XXeR · · Score: 3, Informative

    MySQL runs a thread or process as root? Why?

    It doesn't. Read the hack, it's using a symlink attack on error.log to gain access to an arbitrary root owned file.

  8. Re:Seriously who by darkain · · Score: 1

    Multi-master replication across multiple datacenters for high availability and low latency reads. How many databases have this feature right now?

  9. Re:High performance is no use with poor functional by darkain · · Score: 4, Insightful

    Apparently you are unaware of this... https://www.youtube.com/watch?...

  10. Old news (even for Slashdot) by Zontar+The+Mindless · · Score: 5, Informative

    Both of these vulnerabilities were fixed in MySQL two months ago. I assume MariaDB and Percona have long since applied the patches as well.

    So the big takeaway here is, "If you've not upgraded to the latest release yet, why the hell not?"

    --
    Il n'y a pas de Planet B.
    1. Re:Old news (even for Slashdot) by supremebob · · Score: 1

      Has everyone actually applied these patches, though? I'd imagine that AWS has already patches all of their RDS instances that they manage for companies, but have all of the smaller organizations that use MySQL as an embedded database?

    2. Re:Old news (even for Slashdot) by Zontar+The+Mindless · · Score: 1

      All they need to do is upgrade to the latest release. I believe there has actually been another release in each current series (5.5, 5.6, 5.7) since the releases incorporating the fix.

      I still think it's a slow news day at InfoWorld.

      --
      Il n'y a pas de Planet B.
  11. Re:High performance is no use with poor functional by Lisandro · · Score: 1

    Youtube's automatic captioning works beautifully with that computer-generated voices.

  12. Re: WTF by KiloByte · · Score: 2

    What kind of kindergarten shit is this?

    Well, it's mostly people who don't know any better (ie, the vast majority). If you need a relational database, you want real SQL like Postgres. If you're happy with a flat store, there are more efficient solutions that don't pretend to be SQL.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  13. Re:Seriously who? Postgresql by mpapet · · Score: 2

    https://2ndquadrant.com/en/res...

    You're welcome.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  14. Re:Seriously who? Postgresql-XC by mpapet · · Score: 2

    Postgresql-XC http://postgres-xc.sourceforge...

    You're welcome.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  15. Re: okay by 93+Escort+Wagon · · Score: 1

    It's not a binary toggle.You shouldn't provide unfettered shell access on your server to your users unless it's necessary for the function of that server. And, if it is, running your database from that same server is unwise.

    --
    #DeleteChrome
  16. I use Freebsd by Billly+Gates · · Score: 1

    And use jails. I don't seem to have this problem. Oh what is this SystemD I keep hearing about too?

    --
    http://saveie6.com/
  17. Re:Seriously who? Postgresql by bn-7bc · · Score: 1

    Correct an as soon as they get thr bdr exstension for posgresql 9.6 out rhe dor you will ( if i understtand correctly) need a modified verson of postgres either, just a few config parameters and an extension in the db you wan to repliicate

  18. Re:High performance is no use with poor functional by Dogtanian · · Score: 1

    Sure , MongoDB is fast.

    The problem with Mongo is that it's ruled by Ming the Merciless.

    On the other hand, MySQL is ruled by Larry Ellison, so..... euh, Mongo it is then.

    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  19. Re:WTF by Anonymuous+Coward · · Score: 1

    No shit. How is mysqld_safe able to chown that file if it's not running as root?

  20. Re:WTF by Anonymuous+Coward · · Score: 1
    Because it does?

    The second exploit relies on mysqld_safe (sic) being run as root, otherwise the whole thing falls flat: you can make error_log a symlink to /etc/ld.so.preload as much as you like, but you won't be able to chown the latter and overwrite it.

  21. Re:WTF by HornWumpus · · Score: 1

    The only thing I know about MySQL is to 'run away'. _Never_ take jobs/contracts at companies that incompetent.

    If MySQL wasn't leaking root privileges it would be an OS bug. For MySQL to leak it, it has to have it.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  22. Public IP Address? by AlanObject · · Score: 1

    Can someone explain to me if it is common practice to expose the IP address of the SQL data base server? I've set up MySQL a couple of times but I'm no expert but that just seems like asking for it to me.

  23. Re: WTF by Cramer · · Score: 1

    Nobody who cares about their data uses innodb. I guess you've never experienced any type of file corruption. The makers of innodb cannot be bothered to write tools to detect errors, much less do anything about them. "Get database dumps" is the wrong fucking answer! All it takes is a single bit getting flipped to ruin an entire datastore -- which can be multiple databases.