CVE-2016-6662

Impact:
Important
Public Date:
2016-09-12
CWE:
CWE-732
Bugzilla:
1375198: CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)
It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.

Find out more about CVE-2016-6662 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

All MySQL and MariaDB packages in Red Hat Enterprise Linux and Red Hat Software Collections install the my.cnf configuration file in /etc as root-owned and not writeable to mysqld's mysql user. This default configuration stops the published exploit for this issue.

All MySQL and MariaDB packages for Red Hat Enterprise Linux 7 (either those directly included in Red Hat Enterprise Linux 7 or from Red Hat Software Collections for Red Hat Enterprise Linux 7) run mysqld_safe with mysql user privileges and not root privileges, limiting the potential impact to code execution as mysql system user.

The MySQL 5.1 packages in Red Hat Enterprise Linux 6 do not implement support for library preloading, completely preventing the remote attack vector used by the published exploit.

For additional details, refer to:

https://bugzilla.redhat.com/show_bug.cgi?id=1375198#c12

CVSS v2 metrics

Base Score 7.1
Base Metrics AV:N/AC:H/Au:S/C:C/I:C/A:C
Access Vector Network
Access Complexity High
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

CVSS v3 metrics

CVSS3 Base Score 8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 7 (mariadb55-mariadb) RHSA-2016:2131 2016-10-31
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-mariadb101-mariadb) RHSA-2016:2928 2016-12-08
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 (mariadb-galera) RHSA-2016:2059 2016-10-13
Red Hat Enterprise Linux 6 (mysql) RHSA-2017:0184 2017-01-24
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-mysql56-mysql) RHSA-2016:2749 2016-11-15
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-mariadb101-mariadb) RHSA-2016:2928 2016-12-08
Red Hat Enterprise Linux 7 (mariadb) RHSA-2016:2595 2016-11-03
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 (mariadb-galera) RHSA-2016:2058 2016-10-13
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 (mariadb-galera) RHSA-2016:2060 2016-10-13
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-mysql56-mysql) RHSA-2016:2749 2016-11-15
Red Hat Software Collections for Red Hat Enterprise Linux 6 (mariadb55-mariadb) RHSA-2016:2131 2016-10-31
Red Hat Software Collections for Red Hat Enterprise Linux 6 (mysql55-mysql) RHSA-2016:2130 2016-10-31
Red Hat Software Collections for Red Hat Enterprise Linux 7 (mysql55-mysql) RHSA-2016:2130 2016-10-31
Red Hat OpenStack Platform 8.0 (Liberty) (mariadb-galera) RHSA-2016:2077 2016-10-18
Red Hat OpenStack Platform 9.0 (mariadb-galera) RHSA-2016:2062 2016-10-13
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-mariadb100-mariadb) RHSA-2016:2927 2016-12-08
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 (mariadb-galera) RHSA-2016:2061 2016-10-13
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-mariadb100-mariadb) RHSA-2016:2927 2016-12-08

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 10 mariadb-galera Not affected
Red Hat Mobile Application Platform On-Premise 4 millicore Not affected
Red Hat Enterprise Linux 5 mysql Not affected
Red Hat Enterprise Linux 5 mysql55-mysql Will not fix

Mitigation

- Ensure all MySQL / MariaDB configuration files are not writeable to the mysql user. This is the default configuration in Red Hat products.

- Ensure that non-administrative database users are not granted FILE privilege. Applications accessing data in MySQL / MariaDB databases, including web application potentially vulnerable to SQL injections, should use database accounts with the lowest privileges required.

- If FILE permission needs to be granted to some non-administrative database users, use secure_file_priv setting to limit where files can be written to or read from.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.