REDHAT-BUG-1414429
First published: Wed Jan 18 2017(Updated: )
It was discovered that the mysqld_safe could read ledir value - which specifies the directory where mysqld is stored - from configuration file. This could allow a user with privileges to write to some mysql configuration file - either mysql OS user, or any local OS user able to write to the config via some other way, e.g. by exploiting <a href="https://access.redhat.com/security/cve/CVE-2016-6662">CVE-2016-6662</a> - to escalate their privileges to root if mysqld_safe was run with root privileges. This problem is related to this change applied as part of the <a href="https://access.redhat.com/security/cve/CVE-2016-6662">CVE-2016-6662</a> fix: <a href="https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c#diff-144aa2f11374843c969d96b7b84247eaR211">https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c#diff-144aa2f11374843c969d96b7b84247eaR211</a> It introduced restriction that mysqld and mysqld_version options can only be specified on the command line and can not be defined in a configuration file. However, such restriction was trivial to bypass while ledir was not restricted in a similar way. Restriction for ledir was added in MySQL versions 5.5.54, 5.6.35, and 5.7.17. The following related entry can be found in the release notes: The --ledir option now is accepted only on the command line, not in option files. <a href="http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html">http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html</a> <a href="http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html">http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html</a> <a href="http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html">http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html</a> MySQL upstream commit: <a href="https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea">https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea</a> The CVE was made public via Oracle CPU January 2017: <a href="http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL">http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MySQL (MySQL-common) | >=5.5.54<=5.5.54>=5.6.35<=5.6.35>=5.7.17<=5.7.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2016-6662
- https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c#diff-144aa2f11374843c969d96b7b84247eaR211
- http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
- http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
- http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html
- https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247ea
- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1414387
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1414386
- https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L466
- https://github.com/mysql/mysql-server/blob/mysql-5.6.34/scripts/mysqld_safe.sh#L402
- https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-144aa2f11374843c969d96b7b84247eaL397
- https://access.redhat.com/errata/RHSA-2017:2192
- https://access.redhat.com/errata/RHSA-2017:2787
- https://access.redhat.com/errata/RHSA-2017:2886
- https://access.redhat.com/errata/RHSA-2018:0279
- https://access.redhat.com/errata/RHSA-2018:0574
- https://bugzilla.redhat.com/show_bug.cgi?id=1414429
Frequently Asked Questions
What is the severity of REDHAT-BUG-1414429?
The severity of REDHAT-BUG-1414429 is considered to be high due to the potential for unauthorized access to MySQL configuration files.
How do I fix REDHAT-BUG-1414429?
To fix REDHAT-BUG-1414429, you should update your MySQL Server to a version that is not affected by this vulnerability.
Which versions of MySQL are affected by REDHAT-BUG-1414429?
MySQL versions 5.5.54, 5.6.35, and 5.7.17 are affected by REDHAT-BUG-1414429.
Who is impacted by REDHAT-BUG-1414429?
Users with privileges to write to MySQL configuration files are impacted by REDHAT-BUG-1414429.
What is the impact of REDHAT-BUG-1414429?
The impact of REDHAT-BUG-1414429 is that an attacker could potentially read sensitive system information through the mysqld_safe configuration.
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-3291
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/mysql
- canonical/mysql (mysql-common)