Database Security Digest – October 2016

Last month has been relatively calm considering series of big data breaches on previous months.

A hacker named Guccifer 2.0, who is already known for leaking legitimate documents of political organizations, has exposed files of Clinton Foundation. He wrote that it was just the matter of time, as the staff of Clinton Foundation didn’t bother about information security.

Modern Business Systems suffered a breach of 58 user accounts, involving customer names, postal, email and IP addresses, phone numbers. Games developer company Evony Gaming compromised 33 million accounts with usernames, passwords and email addresses.

New MySQL flaws

Two serious privilege escalation vulnerabilities have been found in MySQL and its forks MariaDB, PerconaDB. Developers have already released updates addressing the flaws. CVE-2016-6663 and CVE-2016-6664 (tracked by Oracle as CVE-2016-5616 and CVE-2016-5617 accordingly).

CVE-2016-6663 makes exploitation of CVE-2016-6662 easier. It is a race condition that allows low-privileged users to escalate privileges and execute arbitrary code as a database system user. It can be exploited by attackers who manage to find vulnerability in a website and gain access to the target system as a low-privileged user. It also can be used in a shared hosting environment where each user can access only one certain database.

According to the expert who detected the flaw, CVE-2016-6663 can be used together with CVE-2016-6662 or CVE-2016-6664 in order to obtain root privileges and compromise the whole targeted system. The exploit is freely available in the public domain, there is even a video showing how it must be done. With this in mind, users of affected platforms should patch as soon as possible.

Vulnerabilities affect Oracle MySQL versions 5.5.51, 5.6.32, 5.7.14 and earlier. October critical patch update fixes both issues. Percona announced that it updated Percona Server to address vulnerabilities above. MariaDB has patched CVE-2016-6663 and left CVE-2016-6664 until upcoming maintenance release, arguing that it is not exploitable by itself.

Oracle Fixes

Oracle announced release of Critical Patch Update on October 18, eliminating 253 vulnerabilities in various platforms. As for Oracle Database Server it has 12 security fixes:

1 of vulnerabilities can be exploited remotely without requiring user credentials.

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
Base
Score
Attack
Vector
Privileges requiredSupported Versions Affected
CVE-2016-5555OJVMCreate Session, Create ProcedureMultipleNo9.1NetworkHigh11.2.0.4, 12.1.0.2
CVE-2016-5572Kernel PDBCreate SessionOracle NetNo6.4LocalHigh12.1.0.2
CVE-2016-5497RDBMS SecurityCreate SessionOracle NetNo6.4LocalHigh12.1.0.2
CVE-2010-5312Application ExpressNoneHTTPYes6.1NetworkNonePrior to 5.0.4.00.07
CVE-2016-5516Kernel PDBExecute on DBMS_PDB_EXEC_SQLOracle NetNo6.0LocalHigh12.1.0.2
CVE-2016-5505RDBMS Programmable InterfaceCreate SessionOracle NetNo5.5LocalLow11.2.0.4, 12.1.0.2
CVE-2016-5498RDBMS SecurityCreate SessionOracle NetNo3.3LocalLow11.2.0.4, 12.1.0.2
CVE-2016-5499RDBMS SecurityCreate SessionOracle NetNo3.3LocalLow11.2.0.4, 12.1.0.2
CVE-2016-3562RDBMS Security and SQL*PlusDBA level privileged accountOracle NetNo2.4NetworkHigh11.2.0.4, 12.1.0.2

Oracle MySQL

31 security fixes for Oracle MySQL in this update. 2 of them may be remotely exploitable without authentication.

CVE#ComponentSub-
component
ProtocolRemote
Exploit
without
Auth.?
Base ScoreAttack
Vector
 
Privileges required Versions Affected 
CVE-2016-6304MySQL ServerServer: Security: EncryptionMySQL ProtocolYes7.5NetworkNone5.6.33, 5.7.15 and earlier
CVE-2016-6662MySQL ServerServer: LoggingNoneNo7.2LocalHigh5.5.52, 5.6.33, 5.7.15 and earlier
CVE-2016-5617MySQL ServerServer: Error HandlingNoneNo7.0LocalLow5.5.51, 5.6.32, 5.7.14 and earlier
CVE-2016-5616MySQL ServerServer: MyISAMNoneNo7.0LocalLow5.5.51, 5.6.32, 5.7.14 and earlier
CVE-2016-5625MySQL ServerServer: PackagingNoneNo7.0LocalLow5.7.14 and earlier
CVE-2016-5609MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLow5.6.31, 5.7.13 and earlier
CVE-2016-5612MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLow5.5.50, 5.6.31, 5.7.13 and earlier
CVE-2016-5624MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLow5.5.51 and earlier
CVE-2016-5626MySQL ServerServer: GISMySQL ProtocolNo6.5NetworkLow5.5.51, 5.6.32, 5.7.14 and earlier
CVE-2016-5627MySQL ServerServer: InnoDBMySQL ProtocolNo6.5NetworkLow5.6.31, 5.7.13 and earlier
CVE-2016-3492MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLow5.5.51, 5.6.32, 5.7.14 and earlier
CVE-2016-5598MySQL ConnectorConnector/PythonMySQL ProtocolYes5.6NetworkNone2.1.3, 2.0.4 and earlier
CVE-2016-7440MySQL ServerServer: Security: EncryptionNoneNo5.1LocalNone5.5.52, 5.6.33, 5.7.15 and earlier
CVE-2016-5628MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkHigh5.7.13 and earlier
CVE-2016-5629MySQL ServerServer: FederatedMySQL ProtocolNo4.9NetworkHigh5.5.51, 5.6.32, 5.7.14 and earlier
CVE-2016-3495MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkHigh5.7.13 and earlier
CVE-2016-5630MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkHigh5.6.31, 5.7.13 and earlier
CVE-2016-5507MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkHigh5.6.32, 5.7.14 and earlier
CVE-2016-5631MySQL ServerServer: MemcachedMySQL ProtocolNo4.9NetworkHigh5.7.13 and earlier
CVE-2016-5632MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkHigh5.7.14 and earlier
CVE-2016-5633MySQL ServerServer: Performance SchemaMySQL ProtocolNo4.9NetworkHigh5.7.13 and earlier
CVE-2016-5634MySQL ServerServer: RBRMySQL ProtocolNo4.9NetworkHigh5.7.13 and earlier
CVE-2016-5635MySQL ServerServer: Security: AuditMySQL ProtocolNo4.9NetworkHigh5.7.13 and earlier
CVE-2016-8289MySQL ServerServer: InnoDBNoneNo4.7LocalHigh5.7.13 and earlier
CVE-2016-8287MySQL ServerServer: ReplicationMySQL ProtocolNo4.5NetworkHigh5.7.13 and earlier
CVE-2016-8290MySQL ServerServer: Performance SchemaMySQL ProtocolNo4.4NetworkHigh5.7.13 and earlier
CVE-2016-5584MySQL ServerServer: Security: EncryptionMySQL ProtocolNo4.4NetworkHigh5.5.52, 5.6.33, 5.7.15 and earlier
CVE-2016-8283MySQL ServerServer: TypesMySQL ProtocolNo4.3NetworkLow5.5.51, 5.6.32, 5.7.14 and earlier
CVE-2016-8288MySQL ServerServer: InnoDB PluginMySQL ProtocolNo3.1NetworkLow5.6.30, 5.7.12 and earlier
CVE-2016-8286MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo3.1NetworkLow5.7.14 and earlier
CVE-2016-8284MySQL ServerServer: ReplicationNoneNo1.8LocalHigh5.6.31, 5.7.13 and earlier

Greenplum Database 4.3.10.0

The update introduces S3 writeable tables, resolves known issues, and includes some enhancements and changes.

Specifying an external table with gphdfs protocol with symbols \, ‘, <,> was a potential security vulnerability. The issue has been resolved.

MariaDB 10.0.28

New version includes updates for XtraDB, TokuDB, Innodb, Performance Schema and fixes for a number of security vulnerabilities:

CVE-2016-5616  (CVE-2016-6663 by Oracle)

Allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM.

CVSS Score: 7.0

CVE-2016-5624

Allows remote authenticated users to affect availability via vectors related to DML.

CVSS Score: 6.5

CVE-2016-5626

Allows remote authenticated users to affect availability via vectors related to GIS.

CVSS Score: 6.5

CVE-2016-3492

Allows remote authenticated users to affect availability via vectors related to Server: Optimizer.

CVSS Score: 6.5

CVE-2016-5629

Allows remote administrators to affect availability via vectors related to Server: Federated.

CVSS Score: 4.9

CVE-2016-8283

Allows remote authenticated users to affect availability via vectors related to Server: Types.

CVSS Score: 4.3

CVE-2016-7440 – unspecified vulnerability.

CVE-2016-5584

Allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption.

CVSS Score: 4.4

MySQL 5.6.34

New release contains security enhancements regarding secure_file_priv system variable, which is used to limit the effect of data import and export operations. Now it can be set to NULL to disable all import/export operations. The server now checks secure_file_priv value at startup and records a warning to the error log if the value is insecure.

Previously secure_file_priv system variable was empty by default. Now the default value is set according to the value of INSTALL_LAYOUT CMake option.

More detailed information you can find in release notes.

Percona Server 5.7.15-9

Based on MySQL 5.7.15, including all the bug fixes in it, Percona Server 5.7.14-8 is the current GA (Generally Available) release in the Percona Server 5.7 series.

The update contains a number of bug fixes, including fix of slave thread leaks that happened in case of thread creation failure. Also memory leaks in Audit Log Plugin are eliminated.