Critical Update for Percona Server for MySQL 5.6.44-85.0

Percona Server for MySQL 8.0

This is a CRITICAL update and the fix mitigates the issues described in CVE-2019-12301. If you upgraded packages on Debian/Ubuntu to 5.6.44-85.0-1, please upgrade to 5.6.44-85.0-2 or later and reset all MySQL root passwords.

 

Issue

On 2019-05-18 Percona discovered an issue with the Debian/Ubuntu 5.6.44-85.0-1 packages for Percona Server for MySQL. When the previous versions, upgraded to the new version PS 5.6.44-85.0-1 on deb based systems, the MySQL root password was removed allowing users to login to the upgraded server as MySQL root without specifying a password.

 

Scope

This issue is limited to users who upgraded with the Debian/Ubuntu package 5.6.44-85.0-1 for Percona Server for MySQL v. 5.6. Newer versions (v. 5.7 and above) and new installations of v. 5.6 (>= 5.6.44-85.0-2) are not affected by this issue.

 

The 5.6.44-85.0-1 packages were available for 19 hours, starting at 2019-05-17 and removed from the repository upon discovery of the issue. The 5.6.44-85.0-1 packages were replaced in the repository with the 5.6.44-85.0-2 packages on 2019-05-18 at 12:50 pm UTC (see bug #5640).

 

Although the fixed package no longer removes the MySQL root password,  it cannot restore the previously removed password.

 

If you downloaded the packages prior to 12:50 pm UTC on 2019-05-18, please update with a newer version and reset all MySQL root passwords on those servers. If you are not sure whether your version is affected, please verify with the script below.

 

Global Impact

This impacted a small subset of users who are running a very specific version of Linux + specific version of MySQL. For those in this narrow footprint, please take the steps noted in the Remediation section.

 

Technical Impact

All MySQL root user entries were reset and need to be reset to cure this issue, after applying the fixed 5.6.44 version of 5.6.44-85.0-2 or higher.

 

Remediation

To cure the vulnerability reported in CVE-2019-12301, upgrade using the Debian/Ubuntu 5.6.44-85.0-2 package (or newer) and reset all MySQL root passwords. To determine if the residual MySQL root password reset issue was resolved, or to verify whether the root password is empty (which may be common), please deploy this script:

 

https://gist.github.com/Oneiroi/30fd32261ba8ceb699893c9b20f081c2

 

Contact

If you have any questions about this issue or need to report a security concern, please contact Percona’s Security Team via security@percona.com or www.percona.com/security.

Share this post

Comment (1)

Leave a Reply