A set of recently discovered vulnerabilities in database software MySQL prompted a set of patches from one open source vendor, while provider Oracle has yet to respond to the reports, ZDNet reported. Monty Program, which makes the MariaDB MySQL fork, announced that it has since patched these issues and offered further explanation of the vulnerabilities, according to a post on the Heise Media website The H.
Two of the zero-day flaws, designated as CVE-2012-5612 and CVE-2012-5614, can help attackers cause the SQL instance to crash, according to ZDNet. CVE-2012-5611, which is a duplicate of older bug CVE-2012-5579, can have a similar effect or be used to execute arbitrary code.
Monty Program vice president of architecture Sergei Golubchik explained that one bug that allows attackers to see if a username is in use by the SQL instance has been known for years. Another, which allows certain non-administrative users to access administration functions, stems from a misconfiguration warned against in the MySQL reference manual.
In response to the threats, which remain unpatched for Oracle users, The H advised MySQL administrators to restrict database access. To avoid this kind of service interruption in their own products as they put together patches, developers may want to strengthen software security considerations in their coding lifecycles, particularly by verifying third-party or open source code.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.