Number: AV16-157
Date: 01 October 2016
Purpose
This advisory is to bring attention to recently released Oracle MySQL security updates addressing a critical vulnerability.
Assessment
Oracle has released security updates to address a critical vulnerability in MySQL. Exploitation of this vulnerability may allow for arbitrary remote code execution. This vulnerability also affects some projects forked from the main MySQL branch, including MariaDB and Percona Server.
Versions affected:
- Oracle MySQL 5.5.x prior to version 5.5.52
- Oracle MySQL 5.6.x prior to version 5.5.33
- Oracle MySQL 5.7.x prior to version 5.7.15
- MariaDB (see references for more information)
- Percona Server and XtraDB Cluster (see references for more information)
CVE Reference: CVE-2016-6662
Suggested Action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
References:
=================
National Vulnerability Database:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6662
Security Researcher:
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
Oracle MySQL Release Notes:
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html
MariaDB Security Announcement:
https://mariadb.org/mariadb-server-versions-remote-root-code-execution-vulnerability-cve-2016-6662/
Percona Server Critical Update:
https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/