-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
MySQL Arbitrary Password Vulnerability
12 June 2012
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
CVE Names: CVE-2012-2122
Member content until: Thursday, July 12 2012
An incorrect type conversion in the password handling routines in some
builds of MySQL cause unsafe password authentication and permit any
existing user (including root) to authenticate and gain database access
with an incorrect password.
After a sufficient number of incorrect attempts with an invalid password,
a remote attacker may successfully connect to a mysql database as any
existing user, including root. With remote access to the MySQL service,
a brute force attack against this vulnerability is feasible.
Vulnerability depends on how and where MySQL was built. Official MySQL
binaries are not known to be affected, but members are advised to monitor
for bulletins from their respective vendors. Where possible, restricting
direct access to public-facing MySQL installations may mitigate the
impact of this vulnerability.
This bug was given the ID 64884 by MySQL and it was corrected in MySQL
5.1.63  and 5.5.24 .
 Changes in MySQL 5.1.63 (07 May 2012)
 Changes in MySQL 5.5.24 (07 May 2012)
 Bug #64884 - logins with incorrect password are allowed
 Security vulnerability in MySQL/MariaDB sql/password.c
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----