--- title: "Is Your MariaDB Version Affected by the Remote Root Code Execution Vulnerability CVE-2016-6662?" publish_date: 2016-09-14 updated_date: 2019-08-26 author: "Rasmus Johansson" tags: - name: "Cluster" url: "/resources/blog/tag/cluster.md" - name: "Code Execution" url: "/resources/blog/tag/code-execution.md" - name: "CVE-2016-6662" url: "/resources/blog/tag/cve-2016-6662.md" - name: "Enterprise" url: "/resources/blog/tag/enterprise.md" - name: "How to" url: "/resources/blog/tag/how-to.md" - name: "Remote Root" url: "/resources/blog/tag/remote-root.md" - name: "Server" url: "/resources/blog/tag/server.md" - name: "troubleshooting" url: "/resources/blog/tag/troubleshooting.md" - name: "Vulnerability" url: "/resources/blog/tag/vulnerability.md" --- # Is Your MariaDB Version Affected by the Remote Root Code Execution Vulnerability CVE-2016-6662? Over the last few days, there has been a lot of questions and discussion around a vulnerability referred to as **MySQL Remote Root Code Execution / Privilege Escalation 0day** with CVE code **CVE-2016-6662**. It’s a serious vulnerability and we encourage every MariaDB Server, MariaDB Enterprise and MariaDB Enterprise Cluster user to read the below update on the vulnerability and how it affects MariaDB products. The vulnerability can be exploited by both local and remote users. Both an authenticated connection to or SQL injection in an affected version of MariaDB Server can be used to exploit the vulnerability. If successful, a library file could be loaded and executed with root privileges. The corresponding bug about the vulnerability can be seen in MariaDB’s project tracking with bug number [MDEV-10465](https://jira.mariadb.org/browse/MDEV-10465), which was opened on July 31, 2016. **MariaDB Enterprise and Enterprise Cluster** The following versions of MariaDB Enterprise and Enterprise Cluster include the fix for the vulnerability: - 5.5.51 or later versions - 10.0.27 or later versions - 10.1.17 or later versions **MariaDB Server** All stable MariaDB versions (5.5, 10.0, 10.1) were fixed in August 2016 in the following versions: - [5.5.51,](https://mariadb.org/mariadb-5-5-51-updated-connectors-now-available/) released on August 10, 2016 - [10.0.27](https://mariadb.org/mariadb-10-0-27-now-available/), released on August 25, 2016 - [10.1.17](https://mariadb.org/mariadb-10-1-17-mariadb-galera-cluster-10-0-27-now-available/), released on August 30, 2016 If you’re on any of the above versions (or later), rest assured, you’re protected against this vulnerability. If you happen to be testing an alpha version of MariaDB 10.2, please be aware that the fix will be available in version 10.2.2, which is expected to be released soon. **More details on the vulnerability** The vulnerability makes use of the *mysqld\_safe* startup script. However, if the database user being used has neither *SUPER* nor *FILE* privilege or if the user has *FILE* but *–secure-file-priv* is set to isolate the location of import and export operations, then the vulnerability is NOT exploitable. It is always a recommended configuration to not grant *SUPER* privileges and to avoid granting *FILE* privileges without using *–secure-file-priv*. Users that have installed MariaDB Server 10.1.8 or later from RPM or DEB packages are NOT affected by the vulnerability. This is due to the fact that in version 10.1.8, MariaDB started using systemd instead of init to manage the MariaDB service. In this case the *mysqld\_safe* startup script isn’t used. For the complete report of the vulnerability, please refer to the [advisory](http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html) by Dawid Golunski (legalhackers.com) who discovered the vulnerability.