Mysql zero day. vulnerability. 目前知道受影響的版本為
<= 5.7.15 <= 5.6.33 <= 5.5.52
如果要知道版本可以使用
#mysql
mysql > select version();
-> ;
+------------+
| version() |
+------------+
| 5.6.25-log |
+------------+
1 row in set (0.00 sec)
在Redhat 網站上的描述 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6662
vulnerability in MySQL was found that allows: 1. injecting malicious configuration into existing MySQL configuration files on systems with weak/improper permissions (configs owned by/writable by mysql user) 2. creating new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on improper config permisions. 3. gaining access to logging functions (normally only available to MySQL admin users) to attackers with only SELECT/FILE permissions on all of the default_ MySQL installations and thus be in position to add/modify MySQL config files. Public via: http://seclists.org/oss-sec/2016/q3/481 External References: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
沒有留言:
張貼留言