Intruder Vulnerability Bulletin — MySQL Privilege Escalation Vulnerabilities
SHARE
back to BLOG

Intruder Vulnerability Bulletin — MySQL Privilege Escalation Vulnerabilities

David Robinson

You may have heard of two new MySQL vulnerabilities in the news over the past couple of days (CVE-2016–6662 & CVE-2016–6663).

CVE-2016–6662

This vulnerability affects MySQL (versions < 5.7.15, < 5.6.33, < 5.5.52) as well as its MariaDB and PerconaDB derivatives.

If successfully exploited, this vulnerability may allow an attacker who has already gained access to the database to elevate their privileges to the “root” administrative level.

It is important to note that in order for an attack to be successful, the attacker must have already gained access to an affected database (eg. via another attack such as SQL Injection), which would be considered a critical weakness in its own right (they would likely already have complete control of your application’s data).

We’ve already checked our customers’ systems, but, even if you’re not using Intruder’s continuous monitoring service yet, this vulnerability isn’t something to get in a panic about, and we recommend patching any affected databases across your estate as part of your normal patching process.

Further details of this vulnerability can be found at: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

CVE-2016–6663

Full details of this vulnerability have not yet been released, however initial information suggests it is similar in nature to CVE-2016–6662. We will issue an update as more information becomes available.

Get Our Free "Ultimate Guide to Vulnerability Scanning"
Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.
DOWNLOAD OUR FREE PDF GUIDE 

Written by

David Robinson

Recommended articles

Ready to get started with your 30-day trial?

try for free
BACK TO TOP