In a world driven by computers, most companies rely on systems that are entirely built around databases. Losing data, or even as little as losing the full control over it, could bring any business down. Frequently databases hold sensitive information such as personal details, transaction statements, credit card data – among many other things. This is also why running certain types of databases is regulated in many countries by local as well as international laws – especially in Europe.

What is at stake?

• Availability. When a database or data disappear, business stops. Assuming you have working backups you can restore from, this is the least of all concerns.
• Confidentiality. Your secrets, private information of your customers and anything else that you decided not to make publicly available may be leaked.
• Privacy. Personal …

If for any reason you couldn’t attend my talk at FOSDEM earlier today on improving MySQL security, I have already uploaded the slides. You can download them from here.

I’m getting more and more concerned about the current Oracle approach to MySQL security. And the fact that I was solely responsible for the security@mysql.com for about ten years, doesn’t make it easier, on the contrary, it only emphasizes changes in the attitude.

Starting from the obvious — somewhat slower response to critical bug fixes, which can be expected, Oracle is a big company, right? Very little information about security vulnerabilities is disclosed, CPUs are carefully stripped from anything that might help to understand the problem, it takes hours to map them to code changes. Heck, even test cases are kept private now. This seriously smells …

What happens when you use the PASSWORD() function to insert a password hash into a table?

• The hash will be written to the table
• The password might be written in clear text to the binlog
• The password might be written in clear text to the general log
• The password might be written in clear text to the slow query log

The query

mysql [localhost] {msandbox} (test) > INSERT INTO testpwd(pwd) VALUES(PASSWORD('secret_password'));
Query OK, 1 row affected (0.00 sec)

The General log

130128 16:04:41     1 Query     INSERT INTO testpwd(pwd) VALUES(PASSWORD('secret_password'))

The Slow query log

# Time: 130128 16:04:41
# User@Host: msandbox[msandbox] @ localhost []
# Query_time: 0.004887  Lock_time: 0.001043 Rows_sent: 0  Rows_examined: 0
SET …

CSO Online writes about a rather sad list of security breaches at http://www.csoonline.com/article/721151/fatal-half-measures-in-incident-response, and the half-hearted approach companies take in dealing with the security on their networks and websites.

What I find most embarrassing is that it appears (judging by the actions) that many companies have their lawyers do some kind of borked risk assessment , and decide that they can just leave things as-is and yell foul when there’s a breach. After all, particularly in the US prosecutors are very heavy handed with breaches, even when the company has been totally negligent. That’s weird, because an insurance company wouldn’t pay out for a break-in when you’ve left your front door wide open! The problem is of course that the damage will have been done, …

Oracle's MySQL Enterprise Edition includes the most comprehensive set of advanced features, management tools and technical support to help you reduce the cost, risk & time to deploy and manage your MySQL applications.

Access our Resource Kit to discover:

• How to boost scalability by 20x with MySQL Enterprise Scalability
• How to automatically detect and recover from failures with MySQL Enterprise High Availability
• How to eliminate security vulnerabilities, improve replication and optimize performance with the MySQL Enterprise Monitor
• How MySQL Enterprise Backup reduces the risk of data loss …

I have been preaching since 2003 that the default deployment of MySQL (where root can access without password) should be changed to something more sicure.

Yet, MySQL 5.6 still uses the same defaults.

$ mysql --no-defaults -u root --port=5000 -h 127.0.0.1
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.9-rc MySQL Community Server (GPL)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> set password=password('oh-come-on');
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

I have installed MySQL 5.6. Now I access as …

When the MySQL version from your distribution isn't good enough you need to download the latest Oracle MySQL. There are more possibilities like Percona Server and MariaDB, but that's not what this post is about.

The dowload site for MySQL is https://www.mysql.com/downloads/mysql/ and contains to a mirror.php script which ask you if you like to login with a Oracle Web Account and then chooses a mirror for you. You don't have to login. Then you will be redirected to the chosen mirror. In my case this is https://cdn.mysql.com

Firefox will give you a "This Connection is Untrusted" dialog. If you click on "Technical details" it will show the following error:

cdn.mysql.com uses an invalid security certificate.

The certificate is only valid for the following names:
  a248.e.akamai.net , *.akamaihd.net , …

Important Security Fix for a Buffer Overflow Bug: MariaDB 5.5.28a, 5.3.11, 5.2.13 and 5.1.66 include a fix for CVE-2012-5579, a vulnerability that allowed an authenticated user to crash MariaDB server or to execute arbitrary code with the privileges of the mysqld process. This is a serious security issue. We recommend upgrading from older versions as soon as possible.

MariaDB 5.5.28a, 5.3.11, 5.2.13 and 5.1.66 (GA) binaries, packages, and source tarballs are now available for download from http://downloads.mariadb.org. So you can upgrade within your own major series.

Note that while this fix has just been published, some other vulnerabilities have been noted over the weekend also. Below a summary of these other CVEs as documented by Red Hat Security Response Team, with annotations by Sergei Gulubchik who is the Security Coordinator for MariaDB.

• …

SANS ISC reported a number of zeroday's for MySQL today.

* CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
http://seclists.org/fulldisclosure/2012/Dec/4
https://bugzilla.redhat.com/show_bug.cgi?id=882599

* CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
http://seclists.org/fulldisclosure/2012/Dec/5
https://bugzilla.redhat.com/show_bug.cgi?id=882600

* CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
Exploit
 …