#VU946 Arbitrary command execution in Oracle Linux - CVE-2016-6662


| Updated: 2018-09-14

Vulnerability identifier: #VU946

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2016-6662

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Oracle Linux
Operating systems & Components / Operating system

Vendor:
Oracle

Description
The vulnerability allows an administrative user to execute arbitrary command on the target system.
The weakness exists due to insufficient access control that allows a malicious user to execute arbitrary command with root privileges that may lead to complete system compromise.
Successful exploitation of the vulnerability results in arbitrary code excution on the vulnerable system.

Vulnerable software versions

: 5.5.50 - 5.5.52, 5.6.31 - 5.6.33, 5.7.13 - 5.7.15

:

Oracle Linux: 7

External links
https://alas.aws.amazon.com/ALAS-2016-756.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


SUSE Linux update for mysql
Red Hat update for mariadb-galera
Arbitrary command execution in mariadb (Alpine package)
Red Hat update for mariadb-galera
OpenSUSE Linux update for mariadb
SUSE Linux update for mariadb
SUSE Linux update for mariadb
SUSE Linux update for mysql
[slackware-security] mariadb / mysql (SSA:2016-257-01)
Ubuntu update for MySQL