The Polish security researcher, Dawid Golunski reported that he found two zero-days in the world’s 2nd most popular database management software MySQL, CVE-2016-6662 and CVE-2016-6663 which allows you to remotely execute code, presupposes access to a vulnerable system with the necessary privileges to edit the MySQL configuration file (my.cnf). By default, this privilege is the superuser, if MySQL was installed on the system with the default settings. However, both the critical vulnerabilities which were discovered by the Polish security researcher Dawid Golunski, have been reported to Oracle along with the other database vendors as well. The Polish security researcher Dawid Golunski explained in an advisory that was already published yesterday that “A successful exploitation [of CVE-2016-6662] could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running”. “As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October,” the researcher further defined. To operate the vulnerability attacker requires privileges to edit the configuration file (root permissions). So, it is assumed that if the user already has elevated privileges on the system, or file permissions that have been changed deliberately to allow for changes in the attacking file. However, Polish security researcher Dawid Golunski suggests few temporary moderation for keeping the servers safe, until the Oracle finds a solution and fixes the problem in its next CPU. Furthermore, the security researcher Dawid Golunski also recommend that as soon as the merchant patches are available, the users should apply them.
