Mar 25, 2022 | MySQL
On 22nd March 2022 08:43 UTC, we became aware of the issue affecting Okta, a third-party identity provider that Percona uses for https://id.percona.com. Initially, there was no statement from Okta, so our Security Operations team reviewed the information available from LAPSUS$ and other public sources. Based on the public information available about the issue, we […]
Dec 14, 2021 | Percona Announcements, Security
Percona Security has been tracking an evolving issue over the weekend and into the beginning of this week. The Log4J vulnerability, also sometimes referred to as Log4JShell, can be exploited to allow for the complete takeover of the target to run any arbitrary code. This affects versions of log4j 2.0-beta9 through 2.14.1 – the current […]
Oct 30, 2020 | Insight for DBAs, MySQL, Percona Software
Galera replication technology, a key component of Percona XtraDB Cluster, suffered from a remote code execution vulnerability. Percona has been working with the vendor since early September on this issue and has made releases available to address the problem. Applicability A malicious party with access to the WSREP service port (4567/TCP) as well as prerequisite […]
Oct 23, 2020 | MongoDB, MySQL, Percona Software
CVE-2020-26542 When using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account. Applicability Percona […]
Apr 20, 2020 | MySQL
CVE-2020-10996 Percona XtraDB Cluster versions greater than 5.7.22-29.26 and less than 5.7.28-31.42.1 contained a script that handled SST transfers to nodes, this was inadvertently set to a static value due to an error in the bash script handling this process. Applicability Time based access to SST files is required in order to exploit […]
Apr 16, 2020 | MySQL
CVE-2020-10997 Percona XtraDB backup >= 2.4.11 suffers an issue whereby the whole command line is captured and output to resulting backup file location, and where –history command line argument is passed this too is captured within the PERCONA_SCHEMA.xtrabackup_history table. In addition to the information being present within the process list and standard error output. […]
Sep 25, 2019 | Security
Summary On September 24, 2019, Percona’s IT and IT Security teams were made aware of a denial of service attack on www.percona.com/forums. We use vBulletin to host Percona Forums, which was subjected to a zero-day pre-authentication remote code execution. This vulnerability potentially allows an unauthenticated attacker to remotely execute code on, or possibly complete control […]
May 24, 2019 | MySQL
This is a CRITICAL update and the fix mitigates the issues described in CVE-2019-12301. If you upgraded packages on Debian/Ubuntu to 5.6.44-85.0-1, please upgrade to 5.6.44-85.0-2 or later and reset all MySQL root passwords. Issue On 2019-05-18 Percona discovered an issue with the Debian/Ubuntu 5.6.44-85.0-1 packages for Percona Server for MySQL. When the previous […]
Mar 12, 2019 | Insight for DBAs, MySQL, Security, Webinars
Please join Percona’s Information Security Architect, David Bubsy, as he presents his talk Web Application Security – Why You Should Review Yours on March 14th, 2019 at 6:00 AM PDT (UTC-7) / 9:00 AM EDT (UTC-4). View the Recording In this talk, we take a look at the whole stack and I don’t just mean […]
Feb 18, 2019 | MySQL, Security
Ahead of the PCI move to deprecate the use of ‘early TLS’, we’ve previously taken steps to disable TLSv1.0. Unfortunately at that time we encountered some issues which led us to rollback these changes. This was to allow users of operating systems that did not – yet – support TLSv1.1 or higher to download Percona packages over […]
Feb 06, 2019 | MySQL, Security
In this post, we’ll cover Percona’s thoughts about the current MySQL community discussion happening around MySQL LOCAL INFILE security issues. This post is released given the already public discussion of this particular issue, with the exploitation code currently redacted to ensure forks of MySQL client libraries have sufficient time to implement their response strategies. This […]
Jul 06, 2018 | MongoDB, MySQL, Percona Software, Security
In the last few days, there has been information released about yet another alleged data leak, placing in jeopardy “…[the] personal information on hundreds of millions of American adults, as well as millions of businesses.” In this case, the “victim” was Exactis, for whom data collection and data security are core business functions. Some takeaways […]
Feb 27, 2017 | MySQL, Security
This blog post examines the recent MySQL® ransomware attacks, and what open source database security best practices could have prevented them. Unless you’ve been living under a rock, you know that there has been an uptick in ransomware for MongoDB and Elasticsearch deployments. Recently, we’re seeing the same for MySQL. Let’s look and see if this is MySQL’s […]
Jan 31, 2017 | Cloud, MongoDB, MySQL, Percona Events, Security
Docker 1.12.6 was released to address CVE-2016-9962. CVE-2016-9962 is a serious vulnerability with RunC. Quoting the coreos page (linked above): “RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new […]
Jan 12, 2017 | MySQL, Security
If you are using Percona XtraBackup with xbcrypt to create encrypted backups, and are using versions older than 2.3.6 or 2.4.5, we advise that you upgrade Percona XtraBackup. Note: this does not affect encryption of encrypted InnoDB tables. CVE-2016-6225 Percona XtraBackup versions older than 2.3.6 or 2.4.5 suffered an issue of not properly setting the Initialization Vector (IV) for […]
Nov 02, 2016 | MySQL, Percona Events, Percona Software
Percona has addressed CVE-2016-6663 and CVE-2016-6664 in releases of Percona Server for MySQL and Percona XtraDB Cluster. Percona is happy to announce that the following vulnerabilities are fixed in current releases of Percona Server for MySQL and Percona XtraDB Cluster: CVE-2016-6663: allows a local system user with access to the affected database in the context of […]
Sep 12, 2016 | MySQL, Percona Events
This blog is an announcement for a Percona Server update with regards to CVE-2016-6662. We have added a fix for CVE-2016-6662 in the following releases: Percona Server 5.5.51-38.1 Percona Server 5.5.51-38.2 Percona Server 5.6.32-78.0 Percona Server 5.6.32-78.1 Percona Server 5.7.14-7 Percona Server 5.7.14-8 Percona XtraDB Cluster 5.5.41-25.12 Percona XtraDB Cluster 5.6.30-25.16.2 Percona XtraDB Cluster 5.6.30-25.16.3 From […]
Jun 06, 2016 | MySQL
We have had to revert back to TLSv1.0. If you saw my previous post on TLSv1.0 (https://www.percona.com/blog/2016/05/23/percona-disabling-tlsv1-0-may-31st-2016/), you’ll know I wanted to deprecate TLSv1.0 well ahead of PCI’s changes. We made the changes May 31st. Unfortunately, it has become apparent that EL 5, which is in the final phases of End Of Life, does not support TLSv1.1 […]
May 23, 2016 | Percona Events
As of May 31st, 2016, we will be disabling TLSv1.0 support on www.percona.com, repo.percona.com, etc. This is ahead of the PCI changes that will affect the June 30th 2016 deprecation the TLSv1.0 protocol. (PDF) What does this mean for you the user? Based on analysis of our IDS logs, this will affect around 6.32% of requests. […]
Mar 04, 2016 | MySQL
This blog post will discuss how to Mitigate DROWN CVE-2016-0800. Unless you’ve been living in a cave you’ll have heard (or likely to hear about soon) the drown attack. From the Red Hat site: “A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this […]