Percona responds to CVE-2016-6663 and CVE-2016-6664

CVE-2016-6663 and CVE-2016-6664Percona has addressed CVE-2016-6663 and CVE-2016-6664 in releases of Percona Server for MySQL and Percona XtraDB Cluster.

Percona is happy to announce that the following vulnerabilities are fixed in current releases of Percona Server for MySQL and Percona XtraDB Cluster:

  • CVE-2016-6663: allows a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically “mysql”).
  • CVE-2016-6664: can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system.

Users should upgrade to their relevant incremental release.

Percona Server

Percona XtraDB Cluster

Users should update as soon as is practical to ensure protection from these vulnerabilities.

Percona would like to thank Dawid Golunski ( for disclosing this issue.

Share this post

Comments (14)

  • Sergei Golubchik

    Your description for -6664 is totally wrong, you apparently, copy-pasted a description of a different vulnerability there

    November 3, 2016 at 1:42 am
    • David Busby

      This does look incorrect, I will advise marketing of the error.

      November 3, 2016 at 4:25 am
  • Sergei Golubchik

    In fact, -6663 looks wrong too

    November 3, 2016 at 1:44 am
    • David Busby

      CVE-2016-6663 description was taken from the advisory linked

      November 3, 2016 at 4:23 am
      • Sergei Golubchik

        Indeed, you are right. It is correct, strictly speaking. It just doesn’t mention the race condition, or REPAIR, or OPTIMIZE, or MyISAM, only CREATE/INSERT/SELECT, which aren’t used in this vulnerability at all. So it appears to look incorrectly and that was confusing. Sorry.

        November 3, 2016 at 4:37 am
  • etpropschroeder

    Just for clarity, the listed Percona Server/XtraDB Cluster versions are in fact patched, and not the most recent unpatched versions?

    November 5, 2016 at 1:38 pm
    • David Busby

      The versions noted in the post contain the fixes, of course I would recommend however that you use the latest version to ensure you have all of the most recent fixes.

      November 6, 2016 at 8:25 am
  • CasBuac7Kee

    Some of us still use the old 5.1 series of Percona Server. Any chance to backport these security fixes to the old 5.1 series?

    November 5, 2016 at 9:35 pm
    • David Busby

      I will ask our development team, however given 5.1 went EOL in 2013 I would strongly recommend you look to upgrade as soon as possible!

      November 6, 2016 at 8:26 am
      • CasBuac7Kee

        Thank you for your help! Unfortunately upgrade is not always an option, and not always my decision (due the tight software dependency).

        Please note MySQL 5.1 is still supported and will supported until 2020 on RHEL6 (and their derivates CentOS6, Scientific Linux 6). But the Percona Server 5.1 is lot more tuned and has more administrative features for production workload, than the original version. So I would prefer to stay on the Percona Server 5.1 instead of replacing it with the untuned distro version. As Redhat will eventually release the fixes (as source code), your security team could also use it as a patch source. I would be really helpful if the security team at least integrate the security patches released by Redhat to the Percona Server 5.1 series, and rebuild the packages.

        Thanks for your help!

        November 6, 2016 at 11:01 am
        • David Busby

          I’ve had a response from our developers and that is that Percona Server 5.1 will move to “Customized support”, which essential is EOL unless someone pays for a release and backports. As such our recommendation is to upgrade to at least 5.5 as soon as possible.

          November 10, 2016 at 10:01 am
  • CasBuac7Kee

    The CVE-2016-6663 could also successfully executed and gain a shell with mysql user on Percona-Server-server-51-5.1.73-rel14.12.624.rhel6.x86_64 ….

    November 5, 2016 at 9:41 pm
  • Nicholas

    There seems to be no change in the percona-xtradb-cluster-5.5 between version 5.5.41-25.11.1 and 5.5.41-37.0. Are we sure this has the right fix? If so that seems to suggest the fix was in place back in Sept.

    November 11, 2016 at 11:07 am
    • Nicholas

      I meant between 5.5.41-25.12-855 and 5.5.41-37.0

      November 11, 2016 at 11:20 am

Comments are closed.

Use Percona's Technical Forum to ask any follow-up questions on this blog topic.