WHAT'S HAPPENING?

A critical MySQL and MariaDB database vulnerability was announced this week that allows login to the database with any valid user id without knowing the password. The vulnerability allows a 1 in 256 chance of logging in with ANY password. This means that a simple for each loop will eventually succeed in logging in even if it is using an invalid password.

WHO IS AFFECTED?

Users managing a system running MySQL or MariaDB databases. Not all Linux distributions are vulnerable depending on how the memcmp() routine was compiled. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

A C program is available for testing a system for this vulnerability at http://pastie.org/4064638

WHAT DO YOU NEED TO DO?

TSO recommends the following actions:

1. Patch affected MySQL and MariaDB databases as soon as possible.

2. The MySQL/MariaDB daemon should be bound to localhost unless remote access is required.

3. When MySQL must be accessed remotely, access should be limited in one or more of the following ways:

A: Use MySQL host-based access controls to limit hosts that are allowed to connect.

B. Use a host-based firewall and limit database port access to specific hosts.

C. Use MySQL host-based access controls on the host firewall to limit access to only from the CoC VPN and/or the GT campus VPN.

WHO SHOULD YOU CONTACT FOR QUESTIONS?

TSO Help Desk (CCB 148, 404.894.7065, helpdesk@cc.gatech.edu).