• United States

Avoid MySQL slams

Feb 05, 20032 mins
Enterprise ApplicationsLinuxSecurity

* Beware of MySQL security vulnerability

The MS-SQL Slammer Worm debacle that crippled Microsoft database servers and much of the Internet last week should also be a wakeup call to Linux/MySQL users. While widespread worms and attacks are perceived to be less common on open source software, platforms such as MySQL on Linux aren’t impervious to ‘Net mischief.

Much of the high-level debate last week on the Slammer worm revolved around whether the maker of a compromised software product should be blamed when attacks occur; or are lazy end users who don’t keep up with patches and security updates the ones at fault. That debate could go on forever. But if you use MySQL, and want to stay out of the second camp, be aware of a few vulnerabilities reported recently in the MySQL database package of several popular Linux distributions.

One problem is related to a package in MySQL called “COM_TABLE_DUMP.” According to Red Hat, the vulnerability “allows remote attackers to cause a denial of service (crash or hang) in mysqld by causing large negative integers to be provided to a memcpy call.” Red Hat, Debian and the security-focused EnGarde Linux all recently reported a problem relating to this vulnerability.

In the MySQL package running on several SuSE Enterprise Server versions, an issue was found with a password-checking function that could allow unpatched servers to be comprimised by attackers. Another vulnerability was found within the MySQL client libraries. According to SuSE: “Applications using this library (as commonly used from within PHP scripts) are vulnerable to this attack and could also be compromised by remote attackers.”

You can get patches for and view more information about the above vulnerabilities at the following sites:

Debian advisory