Certain versions of the open source database software can be hacked simply by entering a wrong password over and over again
A security vulnerability affecting certain versions of open source database software MySQL allows hackers to gain access by simply entering an incorrect password repeatedly.
The vulnerability was reported over the weekend by Sergei Golubchik, security coordinator for MariaDB, another open source database that was split off from the MySQL project.
“If [someone] knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts,” he explained. “~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent.”
The flaw affects versions of the MySQL or MariaDB numbered up to 5.1.61, 5.2.11, 5.3.5, 5.5.22. The official, commercial versions from MySQL the company, now part of Oracle, and MariaDB are apparently unaffected.
“Practically it’s better than it looks, many MySQL/MariaDB builds are not affected by this bug,” Golubchik wrote.
However, one security expert has calculated that over 700,000 MySQL or MariaDB database systems that contain the flaw may be accessible over the Internet. HD Moore, chief security officer of virtualisation security vendor Rapid7, described the flaw as “tragically comedic”.
MySQL is a popular database for building web applications. According to analyst company the 451 Group, the market for products and services based on MySQL is poised to grow from $171 million in 2011 to $664 million in 2015.
There had been fears that Oracle’s ownership of the commercial MySQL product, following its acquisition of Sun Microsystems, might damage the community. However, “the MySQL ecosystem is arguably more healthy and vibrant than ever, with a strong vendor committed to the core product, and many alternative and complementary products and services on offer to maintain the competitive pressure on Oracle,” the 451 Group wrote.