November 28, 2014

Clarification on MySQL security vulnerability

Contrary to initial reports here and here, further investigation has revealed that under some specific and limited circumstances, Percona Server and Percona XtraDB Cluster binaries, similar to other MySQL variants, are susceptible to the security vulnerability in MySQL/MariaDB sql/password.c:

  • 64bit Ubuntu Oneiric (11.10) binaries are vulnerable in Percona Server ONLY on some hardware/virtualization platforms (confirmed on Amazon EC2 but not on HP Cloud).
  • Neither older nor newer Ubuntu versions are affected.
  • Oneiric is not a LTS distribution. Most servers using server-market-focused versions, such as 10.04 LTS and 12.04 LTS, are NOT vulnerable.
  • The latest Percona Server binaries, 5.1.63 and 5.5.24, are NOT vulnerable.

The very complicated nature of this issue—the dependency on the software platform, hardware platform, and specific binary—made the security vulnerability difficult to detect and required exhaustive testing. We apologize for any confusion caused by our original post.

As always, we recommend running the latest version of Percona Server, Percona XtraDB Cluster, or any common MySQL variant to minimize security vulnerabilities.

About Vadim Tkachenko

Vadim leads Percona's development group, which produces Percona Clould Tools, the Percona Server, Percona XraDB Cluster and Percona XtraBackup. He is an expert in solid-state storage, and has helped many hardware and software providers succeed in the MySQL market.

Comments

  1. Great to hear you are confirming all distributions on all OS versions. That is good support for the community.

  2. I can confirm per my g+ postings that CentOS/RHEL 6.x >= 5.5.23 x64 are not vulnerable in my tests, whilst mysql 5.5.23 native was.

Speak Your Mind

*