Simple ansible playbook to patch mysql servers against CVE-2016-6662.
- 20160915.2347.CEST: Kenny informed me of Patrick Forsberg's catch that the original patch did not safeguard against ../ abuse. I've now replaced the patch with one that is more stringent (based on a mix of the Percona and MySQL ones), and also added a task that removes the Percona patch if it was already applied.
In brief, it will try to write a malicious .so to the filesystem and modify your configuration to load it at the next service restart.
This patch will not prevent the actual attack, but it modifies mysqld_safe so .so files are only loaded from the standard system locations, where mysqld cannot write. It will also check existance and permissions of various defaults files the mysqld might pick up, to prevent malicious code from creating or modifying them.
- Specify the targets for the playbook as --extra-vars='targets=host1,host2' to ansible-playbook
- If you want the script to fix the defaults files instead of just reporting them, pass --extra-vars='fs_fix_permissions=true' to ansible-playbook
The full issue is available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662 ; Kenny Gryp of Percona has posted a brief-but-excellent explanation at https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/ .
This playbook will try to apply a custom patch that is a mix of the Percona patch in https://github.com/percona/percona-server/commit/c14be53e029442f576cced1fb8ff96b58e89f2e0#diff-144aa2f11374843c969d96b7b84247eaR261 and the MySQL patch at https://github.com/mysql/mysql-server/blob/5.7/scripts/mysqld\_safe.sh#L356-L364 .
It will:
- Install the standard patch package if not present
- Find the location of your mysql_safe executable using which
- Remove the Percona patch if it was applied
- Attempt to patch mysqld_safe
- Remove patch again if we were the ones to install it
- Check and optionally secure the list of defaults files mysqld tries to read
I have verified this on close to a hundred installations - mostly Debian, a couple of RedHat and Suse ones.
This new version has been applied on nearly 200 hosts, with no obvious problems.
I've observed the patch fail on 5.1 setups, as the mysql_safe script does not contain the anchor points - but that version (and lower) is also not vulnerable, so this is not a problem.
Note that a changed= value of 0 or 2 means no patch was done (2 if installed and removed patch); 1 or 3 means the patch was performed. Other valued are unexpected and should be investigated :-)
With the extra task, it is no longer so clear-cut; you'll have to actually read the output.
Thanks to Kenny Gryp, Percona and MySQL for the clear explanation and easy workaround; extra thanks to Patrick Forsberg for catching the flaw in the original patch.
/vegi