• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

MySQL 0-day vulnerabilities

custer

Administrator
Staff member
Hi everyone,

Two zero-day security vulnerabilities were recently reported for MySQL, Percona and MariaDB (link).

To read the latest information regarding how it can affect you and what can be done, refer to the following KB article: https://kb.plesk.com/en/129745. The article will be updated after the corresponding Plesk MUs will be released later this week.

Thank you for your attention and stay safe.
 
Hi everyone,

Two zero-day security vulnerabilities were recently reported for MySQL, Percona and MariaDB (link).

To read the latest information regarding how it can affect you and what can be done, refer to the following KB article: https://kb.plesk.com/en/129745. The article will be updated after the corresponding Plesk MUs will be released later this week.

Thank you for your attention and stay safe.


Hello

Should we do exactly the same thing for Plesk(s) 11 ?

Thanks for your answer
 
@custer and @Everyone,

On Ubuntu the following

We have released Plesk 12.5.30 MU#47 and 12.0.18 MU#91 to address this issue.

does NOT ALWAYS apply!

Depending on the upgrade settings, the mysql server packages are upgraded to a patched (Ubuntu) package.

In essence, if the checkbox

Automatically install updates for third-party components (such as MySQL and phpMyAdmin)

is not checked (see "Tools & Settings > Update and upgrade settings"), then the patched (Ubuntu) packages will not be installed with the before mentioned micro-updates.

In the latter case, a manual installation with (the command)

apt-get update && apt-get install mysql-server mysql-server-5.5 mysql-client-core-5.5 libmysqlclient18:amd64

is required.

Moreover, if the before mentioned checkbox is checked, then the following packages

- mysql-client-core-5.5
- libmysqlclient18:amd64


are not updated to a patched (Ubuntu) package, when installing the before mentioned micro updates.

To update these (two) packages, simply run the command: apt-get update && apt-get install mysql-client-core-5.5 libmysqlclient18:amd64

Finally, some remarks have to be made with respect to step 4 in KB129745:

a) one should execute step 4, it is NOT sufficient to rely on the before mentioned micro-updates,

b) when executing step 4.a, it will show at least one account:

- one account is a system account, do not be alarmed by that,
- other accounts should be checked and, in most cases, should be removed,

c) when executing step 4.b, you

- will see that /etc/my.cnf already has the appropriate owner, group and permissions, but it can do no harm to check,
- CAN create the empy (.)my.cnf files, as suggested, but is recommended to have none of these files at all: the general idea is to have (empty) files that block the creation of other my.cnf files (which is a good approach), but any successful hack that allows root login will also allow alteration of multiple config files (that are all read by mysql server), making it harder to detect malicious changes to the configuration of mysql server (in contrast, having only /etc/my.cnf as config file, makes it very easy to detect changes in configuration).

Hope the above helps!

Regards......

PS For the interested reader, the patched (Ubuntu) packages can be found on: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html
 
For those who are using Ubuntu: you need to install MySQL updates using native OS means (apt), since we have never released our own MySQL builds for Ubuntu. In other words, Plesk on Ubuntu is always using OS-supplied MySQL.
 
Back
Top