来源

关联漏洞

描述

Simple ansible playbook to patch mysql servers against CVE-2016-6662

介绍

# ansible-mysql-cve-2016-6662
Simple ansible playbook to patch mysql servers against CVE-2016-6662.

## UPDATE
 - 20160915.2347.CEST: Kenny informed me of Patrick Forsberg's catch that the original patch did not safeguard against ../ abuse. I've now replaced the patch with one that is more stringent (based on a mix of the Percona and MySQL ones), and also added a task that removes the Percona patch if it was already applied.

## Summary of CVE
In brief, it will try to write a malicious .so to the filesystem and modify your configuration to load it at the next service restart.

## Summary of patch
This patch will not prevent the actual attack, but it modifies mysqld\_safe so .so files are only loaded from the standard system locations, where mysqld cannot write. It will also check existance and permissions of various defaults files the mysqld might pick up, to prevent malicious code from creating or modifying them.

## How to use
 - Specify the targets for the playbook as --extra-vars='targets=host1,host2' to ansible-playbook
 - If you want the script to fix the defaults files instead of just reporting them, pass --extra-vars='fs\_fix\_permissions=true' to ansible-playbook

## The longer bit
The full issue is available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662 ; Kenny Gryp of Percona has posted a brief-but-excellent explanation at https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/ .

This playbook will try to apply a custom patch that is a mix of the Percona patch in https://github.com/percona/percona-server/commit/c14be53e029442f576cced1fb8ff96b58e89f2e0#diff-144aa2f11374843c969d96b7b84247eaR261 and the MySQL patch at https://github.com/mysql/mysql-server/blob/5.7/scripts/mysqld\_safe.sh#L356-L364 .

It will:
 - Install the standard _patch_ package if not present
 - Find the location of your mysql\_safe executable using _which_
 - Remove the Percona patch if it was applied
 - Attempt to patch mysqld\_safe
 - Remove _patch_ again if we were the ones to install it
 - Check and optionally secure the list of defaults files mysqld tries to read

~~I have verified this on close to a hundred installations - mostly Debian, a couple of RedHat and Suse ones.~~
This new version has been applied on nearly 200 hosts, with no obvious problems.

I've observed the _patch_ fail on 5.1 setups, as the mysql\_safe script does not contain the anchor points - but that version (and lower) is also not vulnerable, so this is not a problem.

~Note that a changed= value of 0 or 2 means no patch was done (2 if installed and removed _patch_); 1 or 3 means the patch was performed. Other valued are unexpected and should be investigated :-)~
With the extra task, it is no longer so clear-cut; you'll have to actually read the output.

Thanks to Kenny Gryp, Percona and MySQL for the clear explanation and easy workaround; extra thanks to Patrick Forsberg for catching the flaw in the original patch.

/vegi

文件快照

 [4.0K]  /data/pocs/35db7320bb0be8140d44db4c1204143f786facec
├── [ 675]  cve-2016-6662.patch
├── [ 560]  cve-2016-6662-undo-percona.patch
├── [4.1K]  fs-cve-2016-6662.sh
├── [1.4K]  mysql_patch_CVE-2016-6662.yml
└── [2.9K]  README.md

0 directories, 5 files

备注