You are here

U-234: Oracle MySQL User Login Security Bypass Vulnerability

August 14, 2012 - 7:00am

Addthis

PROBLEM:

Oracle MySQL User Login Security Bypass Vulnerability

PLATFORM:

Version(s): prior to 5.1.63 and 5.5.25 are vulnerable.

ABSTRACT:

Oracle MySQL is prone to a security bypass vulnerability
Attackers can exploit this issue to bypass certain security restrictions.

REFERENCE LINKS:

http://www.securityfocus.com/bid/53911/discuss
CVE-2012-2122

IMPACT ASSESSMENT:

Medium

Discussion:

Security researchers have released details about a vulnerability in the MySQL server that could allow potential attackers to access MySQL databases without inputting proper authentication credentials.The vulnerability is identified as CVE-2012-2122 and was addressed in MySQL 5.1.63 and 5.5.25 in May. However, many server administrators might not be aware of its impact, because the changelog for those versions contained very little information about the security bug.The vulnerability can only be exploited if MySQL was built on a system where the memcmp() function can return values outside the -128 to 127 range. This is the case for Linux systems that use an SSE-optimized glibc (GNU C library).

Impact: 

Attackers can use standard, readily available tools to exploit this issue.

Solution:

Vendor updates are available. MySQL Homepage (Oracle) http://www.mysql.com/downloads/
 

Addthis