Percona Resources

Software
Downloads

All of Percona’s open-source software products, in one place, to download as much or as little as you need.

Product
Documentation

A single source for documentation on all of Percona’s leading, open-source software.

Financial Services

Driving Database Success

Percona Blog

Percona Blog

Our popular knowledge center for all Percona products and all related topics.

Community

Percona Community Hub

A place to stay in touch with the open-source community

Events

Percona Events Hub

See all of Percona’s upcoming events and view materials like webinars and forums from past events

About

About Percona

Percona is an open source database software, support, and services company that helps make databases and applications run better.

Percona in the News

See Percona’s recent news coverage, press releases and industry recognition for our open source software and support.

Our Customers

Our Partners

Careers

Contact Us

David Busby
David is an Information Security Architect, and CISSP qualified. He has worked with Percona since 2013 and has over 17 years' experience in DevOps, databases and security. David is a Ju-Jitsu instructor, assistant scout leader and also volunteers at a local secondary school to teach kids computing.

Okta – Percona’s statement

On 22nd March 2022 08:43 UTC, we became aware of the issue affecting Okta, a third-party identity provider that Percona uses for https://id.percona.com. Initially, there was no statement from Okta, so our Security Operations team reviewed the information available from LAPSUS$ and other public sources. Based on the public information available about the issue, we […]

Log4JShell Vulnerability Update

Percona Security has been tracking an evolving issue over the weekend and into the beginning of this week. The Log4J vulnerability, also sometimes referred to as Log4JShell, can be exploited to allow for the complete takeover of the target to run any arbitrary code. This affects versions of log4j 2.0-beta9 through 2.14.1 – the current […]

CVE-2020-15180 – Affects Percona XtraDB Cluster

Galera replication technology, a key component of Percona XtraDB Cluster, suffered from a remote code execution vulnerability. Percona has been working with the vendor since early September on this issue and has made releases available to address the problem. Applicability A malicious party with access to the WSREP service port (4567/TCP) as well as prerequisite […]

CVE-2020-26542: SimpleLDAP Authentication in Percona Server for MySQL, Percona Server for MongoDB

CVE-2020-26542 When using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account. Applicability Percona […]

CVE-2020-10996 – Percona XtraDB Cluster SST script static key

CVE-2020-10996   Percona XtraDB Cluster versions greater than 5.7.22-29.26 and less than 5.7.28-31.42.1 contained a script that handled SST transfers to nodes, this was inadvertently set to a static value due to an error in the bash script handling this process.   Applicability Time based access to SST files is required in order to exploit […]

CVE-2020-10997 – Percona XtraBackup information disclosure of command line arguments

CVE-2020-10997   Percona XtraDB backup >= 2.4.11 suffers an issue whereby the whole command line is captured and output to resulting backup file location, and where –history command line argument is passed this too is captured within the PERCONA_SCHEMA.xtrabackup_history table. In addition to the information being present within the process list and standard error output. […]

Incident Involving Percona Forums on September 24, 2019

Summary On September 24, 2019, Percona’s IT and IT Security teams were made aware of a denial of service attack on www.percona.com/forums. We use vBulletin to host Percona Forums, which was subjected to a zero-day pre-authentication remote code execution. This vulnerability potentially allows an unauthenticated attacker to remotely execute code on, or possibly complete control […]

Critical Update for Percona Server for MySQL 5.6.44-85.0

This is a CRITICAL update and the fix mitigates the issues described in CVE-2019-12301. If you upgraded packages on Debian/Ubuntu to 5.6.44-85.0-1, please upgrade to 5.6.44-85.0-2 or later and reset all MySQL root passwords.   Issue On 2019-05-18 Percona discovered an issue with the Debian/Ubuntu 5.6.44-85.0-1 packages for Percona Server for MySQL. When the previous […]

Deprecation of TLSv1.0 2019-02-28

Ahead of the PCI move to deprecate the use of ‘early TLS’, we’ve previously taken steps to disable TLSv1.0. Unfortunately at that time we encountered some issues which led us to rollback these changes. This was to allow users of operating systems that did not – yet – support TLSv1.1 or higher to download Percona packages over […]

Percona Responds to MySQL LOCAL INFILE Security Issues

In this post, we’ll cover Percona’s thoughts about the current MySQL community discussion happening around MySQL LOCAL INFILE security issues. This post is released given the already public discussion of this particular issue, with the exploitation code currently redacted to ensure forks of MySQL client libraries have sufficient time to implement their response strategies. This […]

Another Day, Another Data Leak

In the last few days, there has been information released about yet another alleged data leak, placing in jeopardy “…[the] personal information on hundreds of millions of American adults, as well as millions of businesses.” In this case, the “victim” was Exactis, for whom data collection and data security are core business functions. Some takeaways […]

MySQL Ransomware: Open Source Database Security Part 3

This blog post examines the recent MySQL® ransomware attacks, and what open source database security best practices could have prevented them. Unless you’ve been living under a rock, you know that there has been an uptick in ransomware for MongoDB and Elasticsearch deployments. Recently, we’re seeing the same for MySQL. Let’s look and see if this is MySQL’s […]

Docker Security Vulnerability CVE-2016-9962

Docker 1.12.6 was released to address CVE-2016-9962. CVE-2016-9962 is a serious vulnerability with RunC. Quoting the coreos page (linked above): “RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new […]

CVE-2016-6225: Percona Xtrabackup Encryption IV Not Being Set Properly

If you are using Percona XtraBackup with xbcrypt to create encrypted backups, and are using versions older than 2.3.6 or 2.4.5, we advise that you upgrade Percona XtraBackup. Note: this does not affect encryption of encrypted InnoDB tables. CVE-2016-6225 Percona XtraBackup versions older than 2.3.6 or 2.4.5 suffered an issue of not properly setting the Initialization Vector (IV) for […]

Percona responds to CVE-2016-6663 and CVE-2016-6664

Percona has addressed CVE-2016-6663 and CVE-2016-6664 in releases of Percona Server for MySQL and Percona XtraDB Cluster. Percona is happy to announce that the following vulnerabilities are fixed in current releases of Percona Server for MySQL and Percona XtraDB Cluster: CVE-2016-6663: allows a local system user with access to the affected database in the context of […]

Percona Server Critical Update CVE-2016-6662

This blog is an announcement for a Percona Server update with regards to CVE-2016-6662. We have added a fix for CVE-2016-6662 in the following releases: Percona Server 5.5.51-38.1 Percona Server 5.5.51-38.2 Percona Server 5.6.32-78.0 Percona Server 5.6.32-78.1 Percona Server 5.7.14-7 Percona Server 5.7.14-8 Percona XtraDB Cluster 5.5.41-25.12 Percona XtraDB Cluster 5.6.30-25.16.2 Percona XtraDB Cluster 5.6.30-25.16.3 From […]

EL5 and why we’ve had to enable TLSv1.0 again

We have had to revert back to TLSv1.0. If you saw my previous post on TLSv1.0 (https://www.percona.com/blog/2016/05/23/percona-disabling-tlsv1-0-may-31st-2016/), you’ll know I  wanted to deprecate TLSv1.0 well ahead of PCI’s changes. We made the changes May 31st. Unfortunately, it has become apparent that EL 5, which is in the final phases of End Of Life, does not support TLSv1.1 […]

Percona disabling TLSv1.0 May 31st 2016

As of May 31st, 2016, we will be disabling TLSv1.0 support on www.percona.com, repo.percona.com, etc. This is ahead of the PCI changes that will affect the June 30th 2016 deprecation the TLSv1.0 protocol. (PDF) What does this mean for you the user? Based on analysis of our IDS logs, this will affect around 6.32% of requests. […]

How to Mitigate DROWN CVE-2016-0800

This blog post will discuss how to Mitigate DROWN CVE-2016-0800. Unless you’ve been living in a cave you’ll have heard (or likely to hear about soon) the drown attack. From the Red Hat site: “A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this […]