On 12 September, 2016, an independent researcher revealed multiple MySQL vulnerabilities. This advisory focuses on a vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) under certain configurations, leading to critical consequences.
The vulnerability affects all MySQL servers in the default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and can be exploited by both local and remote attackers. Both the authenticated access to MySQL databases (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors if a MySQL user has the SUPER privilege granted. Additionally, MySQL users with both SELECT and FILE privileges granted are also affected.
A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL or MariaDB is running.
Are you running a vulnerable version?
If you are not a customer subscribed under our Server Management plan and would like to have this vulnerability patched please purchase a 1x Hour of Support plan.
Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!