Bug 1386562

Summary: CVE-2016-5616 mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU October 2016)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, byte, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, fdinitto, hhorak, jdornak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, slinaber, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20161019,reported=20161019,source=internet,cvss2=6.0/AV:L/AC:H/Au:S/C:C/I:C/A:C,cvss3=7.0/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H,rhel-5/mysql=wontfix,rhel-5/mysql55-mysql=wontfix,rhel-6/mysql=wontfix,rhel-7/mariadb=affected,rhscl-2/mysql55-mysql=affected,rhscl-2/rh-mysql56-mysql=affected,rhscl-2/rh-mysql57-mysql=notaffected,rhscl-2/mariadb55-mariadb=affected,rhscl-2/rh-mariadb100-mariadb=affected,rhscl-2/rh-mariadb101-mariadb=affected,openstack-5/mariadb-galera=wontfix,openstack-6/mariadb-galera=wontfix,openstack-7/mariadb-galera=wontfix,openstack-8/mariadb-galera=wontfix,openstack-9/mariadb-galera=wontfix,openstack-10/mariadb-galera=wontfix,fedora-all/community-mysql=affected,fedora-all/mariadb=affected,fedora-all/mariadb-galera=affected,openstack-11/mariadb-galera=wontfix,openstack-12/mariadb-galera=wontfix
Fixed In Version: mysql 5.5.52, mysql 5.6.33, mysql 5.7.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 21:49:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1386607, 1386608, 1386609    
Bug Blocks: 1386598    

Description Adam Mariš 2016-10-19 09:02:24 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. 

External References:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881724.html#AppendixMSQL

Comment 1 Adam Mariš 2016-10-19 09:50:26 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1386608]

Comment 2 Adam Mariš 2016-10-19 09:50:41 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1386607]

Comment 3 Adam Mariš 2016-10-19 09:50:54 UTC
Created mariadb-galera tracking bugs for this issue:

Affects: fedora-all [bug 1386609]

Comment 4 Tomas Hoger 2016-10-21 16:55:07 UTC
The only change in MyISAM sub-component of MySQL in the listed versions is:

https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291

To exploit this flaw, attacker needs to have a local shell access on the server running MySQL server, and have write access to the data directory used to store database files.  The data directory is normally only writeable to the mysql system user, who has full control over database files anyway.

However, MyISAM engine allows users creating database tables to specify location where data files are stored using DATA DIRECTORY and INDEX DIRECTORY clauses for CREATE TABLE.  That way, database files can be stored in any directory writeable to a local user.

The DATA DIRECTORY and INDEX DIRECTORY clause is only applied when mysqld is running with symlink support enabled.  The symlinks support is controlled via symbolic-links configuration directive and --symbolic-links / --skip-symbolic-links command line options.  The default configuration of all MySQL and MariaDB packages on Red Hat Enterprise Linux 6 and later is to disable symlink support - symbolic-links=0 setting is used in the default my.cnf.  With this setting, only mysql system user should be able to exploit this flaw.

The mysql packages on Red Hat Enterprise Linux 5 have symlink support enabled by default, however, Red Hat has been recommending disabling symlink support since 2010:

https://rhn.redhat.com/errata/RHSA-2010-0109.html

Comment 5 Tomas Hoger 2016-10-21 16:56:27 UTC
MariaDB re-implemented this fix in a different way:

https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805

Comment 6 errata-xmlrpc 2016-10-31 19:54:27 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2130 https://rhn.redhat.com/errata/RHSA-2016-2130.html

Comment 7 errata-xmlrpc 2016-10-31 22:24:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2131 https://rhn.redhat.com/errata/RHSA-2016-2131.html

Comment 8 errata-xmlrpc 2016-11-03 20:52:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2595 https://rhn.redhat.com/errata/RHSA-2016-2595.html

Comment 9 Tomas Hoger 2016-11-03 21:49:48 UTC
This was confirmed to be a duplicate of CVE-2016-6663, see:

http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt

*** This bug has been marked as a duplicate of bug 1378936 ***