Buy Percona ServicesBuy Now!

Percona Security Advisory CVE-2015-1027

 | May 6, 2015 |  Posted In: MySQL, Security

Contents Summary Analysis Mitigating factors P.O.C Acknowledgments Summary During a code audit performed internally at Percona, we discovered a viable information disclosure attack when coupled with a MITM attack in which percona-toolkit and xtrabackup perl components could be coerced into returning additional MySQL configuration information. The vulnerability has since been closed. Timeline 2014-12-16 Initial research, […]

Read More

How to test if CVE-2015-0204 FREAK SSL security flaw affects you

 | March 5, 2015 |  Posted In: MySQL, Security

The CVE-2015-0204 FREAK SSL vulnerability abuses intentionally weak “EXPORT” ciphers which could be used to perform a transparent Man In The Middle attack. (We seem to be continually bombarded with not only SSL vulnerabilities but the need to name vulnerabilities with increasing odd names.) Is your server vulnerable? This can be tested using the following GIST […]

Read More

GHOST vulnerability (CVE-2015-0235) Percona response

 | January 29, 2015 |  Posted In: MySQL, Security

Cloud security company Qualys announced Tuesday the issues prevalent in glibc since version 2.2 introduced in 2000-11-10 (the complete Qualys announcement may be viewed here). The vulnerability, CVE-2015-0235, has been dubbed “GHOST.” As the announcement from Qualys indicates, it is believed that MySQL and by extension Percona Server are not affected by this issue. Percona […]

Read More

File carving methods for the MySQL DBA

 | December 23, 2014 |  Posted In: Insight for DBAs, MySQL, Security

This is a long overdue blog post from London’s 44con Cyber Security conference back in September. A lot of old memories were brought to the front as it were; the one I’m going to cover in this blog post is: file carving. So what is file carving? despite the terminology it’s not going to be a […]

Read More

(More) Secure local passwords in MySQL 5.6 and up

 | November 25, 2014 |  Posted In: MySQL, Security

I log into a lot of different servers running MySQL and one of the first things I do is create a file in my home directory called ‘.my.cnf’ with my credentials to that local mysql instance:

This means I don’t have to type my password in every time, nor am I tempted to include […]

Read More

How to close POODLE SSLv3 security flaw (CVE-2014-3566)

 | October 15, 2014 |  Posted In: MySQL, Security

Padding Oracle On Downgraded Legacy Encryption First off, the naming “convention” as of late for security issues has been terrible. The newest vulnerability (CVE­-2014-3566) is nicknamed POODLE, which at least is an acronym and as per the header above has some meaning. The summary of this issue is that it is much the same as the […]

Read More

Database auditing alternatives for MySQL

 | May 20, 2014 |  Posted In: Insight for DBAs, MySQL, Security

Database auditing is the monitoring of selected actions of database users. It doesn’t protect the database in case privileges are set incorrectly, but it can help the administrator detect mistakes. Audits are needed for security. You can track data access and be alerted to suspicious activity. Audits are required for data integrity. They are the […]

Read More

Heartbleed: Separating FAQ From FUD

 | April 9, 2014 |  Posted In: Insight for DBAs, MySQL, Percona Server for MySQL, Security

If you’ve been following this blog (my colleague, David Busby, posted about it yesterday) or any tech news outlet in the past few days, you’ve probably seen some mention of the “Heartbleed” vulnerability in certain versions of the OpenSSL library. So what is ‘Heartbleed’, really? In short, Heartbleed is an information-leak issue. An attacker can […]

Read More

Hardening your Cacti setup

 | March 19, 2014 |  Posted In: Percona Monitoring Plugins, Security

If you are using Percona Monitoring Plugins for Cacti, this article should be important to you. By default, the Cacti setup is closed from accessing from Web. Here is an excerpt from /etc/httpd/conf.d/cacti.conf:

In order, to access the Cacti web interface, most likely, you will be changing this configuration. Commenting out Deny/Require statements will […]

Read More