MySQL Multiple Vulnerabilities
A MySQL server was identified to be using an out of date and vulnerable version of MySQL. The 5.0 release is no longer actively developed and should not be used in production environments. Below shows an example of a version of MySQL identified:
$ nc 10.0.0.24 3306
5.0.34-enterprise-nt
For a list of vulnerabilities affecting this version of MySQL please reference the following URL: http://www.cvedetails.com/vulnerability-list/vendor_id-185/product_id-316/version_id-140341/Mysql-Mysql-5.0.34.html
Remediation
Virtue Security recommends that MySQL installations are upgraded to the latest patch level of 5.5 or 5.6 releases. MySQL requires that all installations are upgraded sequentially, so a 5.0 release must be upgraded to 5.1 before it is upgraded to 5.5. Because of this, some servers may need to be upgraded two or three times before a current version is reached. Below is the basic procedure for each iteration:
- Backup database with the mysqldump command.
- Install the next major release of MySQL.
- Check table integrity with the
mysql_upgradecommand If a package management system is used to maintain software, packages should be updated and verified. The MySQL version can be obtained at the command line with the following command:
$ mysql --version
If packages were compiled from source or downloaded binaries, updated binaries should be obtained from http://dev.mysql.com/downloads/.
For detailed instructions and considerations for upgrading specific versions of MySQL, please reference the following URLs:
| MySQL Version | URL |
|---|---|
| Version 5.0 to 5.1 | https://dev.mysql.com/doc/refman/5.1/en/upgrading-from-previous-series.html |
| Version 5.1 to 5.5 | https://dev.mysql.com/doc/refman/5.5/en/upgrading-from-previous-series.html |
| Version 5.5 to 5.6 | https://dev.mysql.com/doc/refman/5.6/en/upgrading-from-previous-series.html |