Oracle MySQL security update

Number: AV16-157
Date: 01 October 2016

Purpose

This advisory is to bring attention to recently released Oracle MySQL security updates addressing a critical vulnerability.

Assessment

Oracle has released security updates to address a critical vulnerability in MySQL. Exploitation of this vulnerability may allow for arbitrary remote code execution.  This vulnerability also affects some projects forked from the main MySQL branch, including MariaDB and Percona Server.

Versions affected:

  • Oracle MySQL 5.5.x prior to version 5.5.52
  • Oracle MySQL 5.6.x prior to version 5.5.33
  • Oracle MySQL 5.7.x prior to version 5.7.15
  • MariaDB (see references for more information)
  • Percona Server and XtraDB Cluster (see references for more information)

CVE Reference: CVE-2016-6662

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

=================       
National Vulnerability Database:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6662

Security Researcher:
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Oracle MySQL Release Notes:
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html

MariaDB Security Announcement:
https://mariadb.org/mariadb-server-versions-remote-root-code-execution-vulnerability-cve-2016-6662/

Percona Server Critical Update:
https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/

Date modified: