Critical MySQL Vulnerability CVE-2016-6662 – Are You Protected?

On September 9, Dawid Golunski reported CVE-2016-6662, a major vulnerability in MySQL which also affects PerconaDB and MariaDB.  This is what’s known as a SQL injection attack, and attackers can use it to take over your server completely. It works by tricking MySQL into giving an attacker control over the system (“root privileges”) by loading malicious configuration files. Percona has a post describing the attack in more detail.

Am I at risk?

All JetRails customers at eBoundHost are already protected.  Others using older versions of MySQL, Maria or PerconaDB may be at risk.  Platforms that rely on these databases include Magento, WordPress, Drupal, OpenCart, Prestashop – any LAMP-based application may be vulnerable – if you aren’t sure, check in with your developer.

Fixes

MySQL has fixed this problem in versions 5.5.52, 5.6.33 and 5.7.15.  Percona and Maria have also released updates with fixes for the vulnerability.  Aside from upgrading, you can patch mysqld_safe, or change the permissions on configuration files to eliminate this vulnerability.

If you have any questions about your site’s safety or how to make your environment secure, get in touch.

Artur September 13, 2016