Red Hat Bugzilla – Bug 1386562
CVE-2016-5616 mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU October 2016)
Last modified: 2018-04-06 08:13:43 EDT
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. External References: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881724.html#AppendixMSQL
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1386608]
Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1386607]
Created mariadb-galera tracking bugs for this issue: Affects: fedora-all [bug 1386609]
The only change in MyISAM sub-component of MySQL in the listed versions is: https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291 To exploit this flaw, attacker needs to have a local shell access on the server running MySQL server, and have write access to the data directory used to store database files. The data directory is normally only writeable to the mysql system user, who has full control over database files anyway. However, MyISAM engine allows users creating database tables to specify location where data files are stored using DATA DIRECTORY and INDEX DIRECTORY clauses for CREATE TABLE. That way, database files can be stored in any directory writeable to a local user. The DATA DIRECTORY and INDEX DIRECTORY clause is only applied when mysqld is running with symlink support enabled. The symlinks support is controlled via symbolic-links configuration directive and --symbolic-links / --skip-symbolic-links command line options. The default configuration of all MySQL and MariaDB packages on Red Hat Enterprise Linux 6 and later is to disable symlink support - symbolic-links=0 setting is used in the default my.cnf. With this setting, only mysql system user should be able to exploit this flaw. The mysql packages on Red Hat Enterprise Linux 5 have symlink support enabled by default, however, Red Hat has been recommending disabling symlink support since 2010: https://rhn.redhat.com/errata/RHSA-2010-0109.html
MariaDB re-implemented this fix in a different way: https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2130 https://rhn.redhat.com/errata/RHSA-2016-2130.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2131 https://rhn.redhat.com/errata/RHSA-2016-2131.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2595 https://rhn.redhat.com/errata/RHSA-2016-2595.html
This was confirmed to be a duplicate of CVE-2016-6663, see: http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt *** This bug has been marked as a duplicate of bug 1378936 ***