---
title: "Security Vulnerability CVE-2016-6664 / CVE-2016-5617"
publish_date: 2017-01-18
updated_date: 2019-08-26
author: "Rasmus Johansson"
tags:
  - name: "Advocacy"
    url: "/resources/blog/tag/advocacy.md"
  - name: "Big Data"
    url: "/resources/blog/tag/big-data.md"
  - name: "Business"
    url: "/resources/blog/tag/business.md"
  - name: "Cloud"
    url: "/resources/blog/tag/cloud.md"
  - name: "Clustering"
    url: "/resources/blog/tag/clustering.md"
  - name: "CMS"
    url: "/resources/blog/tag/cms.md"
  - name: "ColumnStore"
    url: "/resources/blog/tag/columnstore.md"
  - name: "Community"
    url: "/resources/blog/tag/community.md"
  - name: "DBA"
    url: "/resources/blog/tag/dba.md"
  - name: "Developer"
    url: "/resources/blog/tag/developer.md"
  - name: "Galera"
    url: "/resources/blog/tag/galera.md"
  - name: "GeoData"
    url: "/resources/blog/tag/geodata.md"
  - name: "High Availability"
    url: "/resources/blog/tag/high-availability.md"
  - name: "How to"
    url: "/resources/blog/tag/how-to.md"
  - name: "InnoDB"
    url: "/resources/blog/tag/innodb.md"
  - name: "Linux"
    url: "/resources/blog/tag/linux.md"
  - name: "Load balancing"
    url: "/resources/blog/tag/load-balancing.md"
  - name: "MariaDB Enterprise"
    url: "/resources/blog/tag/mariadb-enterprise.md"
  - name: "MariaDB Releases"
    url: "/resources/blog/tag/mariadb-releases.md"
  - name: "MaxScale"
    url: "/resources/blog/tag/maxscale.md"
  - name: "MySQL"
    url: "/resources/blog/tag/mysql.md"
  - name: "Newbie"
    url: "/resources/blog/tag/newbie.md"
  - name: "NoSQL"
    url: "/resources/blog/tag/nosql.md"
  - name: "Open Source"
    url: "/resources/blog/tag/open-source.md"
  - name: "Plugins"
    url: "/resources/blog/tag/plugins.md"
  - name: "Proxy"
    url: "/resources/blog/tag/proxy.md"
  - name: "Red Hat"
    url: "/resources/blog/tag/red-hat.md"
  - name: "Replication"
    url: "/resources/blog/tag/replication.md"
  - name: "Scaling"
    url: "/resources/blog/tag/scaling.md"
  - name: "Security"
    url: "/resources/blog/tag/security.md"
  - name: "Storage Engines"
    url: "/resources/blog/tag/storage-engines.md"
  - name: "WebScaleSQL"
    url: "/resources/blog/tag/webscalesql.md"
---

# Security Vulnerability CVE-2016-6664 / CVE-2016-5617

During the fall there were a couple of vulnerabilities found that could be used for privilege escalations in conjunction with race conditions. These were:

- CVE-2016-6662 MySQL Remote Root Code Execution / Privilege Escalation 0day
- CVE-2016-6663 Privilege Escalation / Race Condition (also referred to as CVE-2016-5616)
- CVE-2016-6664 Root Privilege Escalation (also referred to as CVE-2016-5617)

I’ve published two blog posts about these vulnerabilities before:

- [Is Your MariaDB Version Affected by the Remote Root Code Execution Vulnerability CVE-2016-6662?](https://staging-mdb.com/resources/blog/your-mariadb-version-affected-remote-root-code-execution-vulnerability-cve-2016-6662)
- [Update on Security Vulnerabilities CVE-2016-6663 and CVE-2016-6664 Related to MariaDB Server](https://staging-mdb.com/resources/blog/update-security-vulnerabilities-cve-2016-6663-and-cve-2016-6664-related-mariadb)

CVE-2016-6662 and CVE-2016-6663 have been fixed during the fall and versions of MariaDB has been released containing the fixes. As stated in the latter blog post the root privilege escalation vulnerability CVE-2016-6664 was not exploitable by itself. It will need to obtain shell access first through some other vulnerability. But a final fix was still needed to completely shut the door for this last related vulnerability.

The CVE-2016-6664 vulnerability makes use of a weak point in the way the mysqld\_safe script handled the creation of the error log file, through which root privileges could be obtained.

Oracle made an attempt to fix this already in November, but the fix was unfortunately half-baked and made the vulnerability slightly less exploitable, but didn’t completely get rid of it. This and other issues in the mysqld\_safe script were pointed out by Red Hat’s Security Team. Oracle has since then opened CVE-2017-3312 for the missing pieces of CVE-2016-6664 and fixed them.

In MariaDB Server, we’ve now implemented our own fix for the vulnerability, which we believe completely removes the possibility to make use of it.

CVE-2016-6664 is fixed as of the following versions of MariaDB Server:

- [MariaDB Server 10.1.21](https://downloads.mariadb.org/mariadb/10.1.21/), released on January 18
- [MariaDB Server 10.0.29](https://downloads.mariadb.org/mariadb/10.0.29/), released on January 13
- [MariaDB Server 5.5.54](https://downloads.mariadb.org/mariadb/5.5.54/), released on December 24

Please upgrade to these versions (or newer) to be protected against CVE-2016-6664. The latest versions can be download [here](https://staging-mdb.com/downloads).

– – –

In addition to CVE-2016-6664, fixes for the following CVEs affecting MySQL, mentioned in [Oracle’s Critical Patch Update Advisory – January 2017](http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL) are included in the versions 5.5.54, 10.0.29 and 10.1.21 of MariaDB:

- [CVE-2017-3238](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238)
- [CVE-2017-3243](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243)
- [CVE-2017-3244](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244)
- [CVE-2017-3257](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257)
- [CVE-2017-3258](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258)
- [CVE-2017-3265](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265)
- [CVE-2017-3291](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3291)
- [CVE-2017-3312](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3312)
- [CVE-2017-3317](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317)
- [CVE-2017-3318](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318)