A researcher has discovered a critical security flaw in the world’s most widely used open-source database application — one that could allow hackers to completely take over a web server.
And, because Oracle is dragging its feet in releasing a patch and word of the flaw was starting to leak out, the researcher — Dawid Golunski — went ahead Tuesday and published details of the vulnerability and a partial proof of concept.
The vulnerability affects every version of Oracle’s MySQL application and two clones of it — MariaDB and PerconaDB.
The vulnerability, designated CVE-2016-6662, could potentially allow an attacker “to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running,” wrote Golunski in a post laying out details of his discovery.
He said the vulnerability could be exploited locally or remotely, via SQL injection.
He said that — in line with responsible disclosure best practice — he privately told Oracle and the manufacturers of PerconaDB and MariaDB about the vulnerability on July 29.
PerconaDB and MariaDB were both patched by their vendors on August 30, he said, but “Official patches for the vulnerability are not available at this time for Oracle MySQL server.”
Because the documentation accompanying the patches for PerconaDB and MariaDB contained details that could enable hackers to reverse-engineer the vulnerability, and because over 40 days had elapsed, Golunski said he made the decision to release details of the vulnerability and limited proof-of-concept code “to inform users about the risks” before Oracle’s next update — not scheduled until next month.
Oracle declined to comment.
On one security forum there were some expressions of skepticism about the seriousness of the vulnerability, given that the hacker trying to make use of it would require certain kinds of system privileges.
“This doesn’t seem very threatening at all,” wrote one user, “If you’re not already running services with strict file permissions this is the least of your worries.”
The user added that the vulnerability was better described as privilege escalation, a lesser kind of security flaw, rather than remote code execution.