Bug 1386562 - CVE-2016-5616 mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU October 2016)
Summary: CVE-2016-5616 mysql: unspecified vulnerability in subcomponent: Server: MyISA...
Keywords:
Status: CLOSED DUPLICATE of bug 1378936
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161019,repor...
Depends On: 1386607 1386608 1386609
Blocks: 1386598
TreeView+ depends on / blocked
 
Reported: 2016-10-19 09:02 UTC by Adam Mariš
Modified: 2019-06-08 21:31 UTC (History)
29 users (show)

Fixed In Version: mysql 5.5.52, mysql 5.6.33, mysql 5.7.15
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 21:49:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2130 normal SHIPPED_LIVE Important: mysql55-mysql security update 2016-10-31 23:52:57 UTC
Red Hat Product Errata RHSA-2016:2131 normal SHIPPED_LIVE Important: mariadb55-mariadb security update 2016-11-01 02:23:20 UTC
Red Hat Product Errata RHSA-2016:2595 normal SHIPPED_LIVE Important: mariadb security and bug fix update 2016-11-03 12:11:21 UTC

Description Adam Mariš 2016-10-19 09:02:24 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. 

External References:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881724.html#AppendixMSQL

Comment 1 Adam Mariš 2016-10-19 09:50:26 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1386608]

Comment 2 Adam Mariš 2016-10-19 09:50:41 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1386607]

Comment 3 Adam Mariš 2016-10-19 09:50:54 UTC
Created mariadb-galera tracking bugs for this issue:

Affects: fedora-all [bug 1386609]

Comment 4 Tomas Hoger 2016-10-21 16:55:07 UTC
The only change in MyISAM sub-component of MySQL in the listed versions is:

https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291

To exploit this flaw, attacker needs to have a local shell access on the server running MySQL server, and have write access to the data directory used to store database files.  The data directory is normally only writeable to the mysql system user, who has full control over database files anyway.

However, MyISAM engine allows users creating database tables to specify location where data files are stored using DATA DIRECTORY and INDEX DIRECTORY clauses for CREATE TABLE.  That way, database files can be stored in any directory writeable to a local user.

The DATA DIRECTORY and INDEX DIRECTORY clause is only applied when mysqld is running with symlink support enabled.  The symlinks support is controlled via symbolic-links configuration directive and --symbolic-links / --skip-symbolic-links command line options.  The default configuration of all MySQL and MariaDB packages on Red Hat Enterprise Linux 6 and later is to disable symlink support - symbolic-links=0 setting is used in the default my.cnf.  With this setting, only mysql system user should be able to exploit this flaw.

The mysql packages on Red Hat Enterprise Linux 5 have symlink support enabled by default, however, Red Hat has been recommending disabling symlink support since 2010:

https://rhn.redhat.com/errata/RHSA-2010-0109.html

Comment 5 Tomas Hoger 2016-10-21 16:56:27 UTC
MariaDB re-implemented this fix in a different way:

https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805

Comment 6 errata-xmlrpc 2016-10-31 19:54:27 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2130 https://rhn.redhat.com/errata/RHSA-2016-2130.html

Comment 7 errata-xmlrpc 2016-10-31 22:24:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:2131 https://rhn.redhat.com/errata/RHSA-2016-2131.html

Comment 8 errata-xmlrpc 2016-11-03 20:52:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2595 https://rhn.redhat.com/errata/RHSA-2016-2595.html

Comment 9 Tomas Hoger 2016-11-03 21:49:48 UTC
This was confirmed to be a duplicate of CVE-2016-6663, see:

http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt

*** This bug has been marked as a duplicate of bug 1378936 ***


Note You need to log in before you can comment on or make changes to this bug.