← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:118234 · Disclosed 2018-10-16

MySQL 5

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a front-door smash and more a bad lock on an already restricted server room

Tenable plugin 118234 flags Oracle MySQL 5.6.41 and earlier, fixed in 5.6.42, for the October 16, 2018 Oracle Critical Patch Update. The bundle covers multiple MySQL Server issues plus an inherited zlib issue (CVE-2016-9843) that drives the scary top-end score. In Oracle's own risk matrix, the MySQL Server issues relevant to 5.6.x are mostly reachable over the MySQL protocol but are not remotely exploitable without authentication, and the 5.6-specific entries trend toward availability impact or limited integrity issues rather than clean unauthenticated takeover.

The vendor-style severity is overstated for enterprise prioritization because the main friction is decisive: in real deployments, an attacker typically needs network reachability to MySQL and valid database credentials before any of these 5.6-server paths matter. That makes this a post-initial-access or credential-compromise amplifier, not a true internet-scale pre-auth edge bug. It still matters—especially for exposed 3306 listeners and legacy estates—but it does not deserve the same urgency as an unauthenticated RCE.

"This looks scary on paper, but the real attack path usually starts after the attacker already has MySQL creds."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable MySQL listener

The attacker starts with exposure discovery using nmap, Shodan, or Censys against TCP 3306. If the server is only reachable from app tiers or internal subnets, this step already implies the attacker is inside your network or on a trusted path. Shadowserver's internet census shows MySQL exposure is common globally, but many enterprise databases are still not directly internet-facing.
Conditions required:
  • MySQL service listening on TCP 3306 or another reachable port
  • Attacker has internet or internal-network path to the database
Where this breaks in practice:
  • Most mature enterprises keep MySQL behind app tiers, VPNs, or private subnets
  • Security groups, host firewalls, and bind-address settings often block direct reachability
Detection/coverage: Good external attack-surface tools and routine nmap/ASM scans catch this well; exposure detection is easier than exploit detection.
STEP 02

Get valid MySQL credentials

Oracle's October 2018 MySQL Server entries for the affected 5.6 branch are marked not remotely exploitable without authentication. In practice the attacker needs stolen app credentials, reused admin creds, secrets from config files, or a low-priv database account obtained after initial access. Tools here are pedestrian: mysql, hydra, app-secret scraping, or credential reuse from another foothold.
Conditions required:
  • Valid MySQL username/password or equivalent auth material
  • Account permitted to connect over the MySQL protocol
Where this breaks in practice:
  • This is a major downward pressure on severity: it assumes credential theft or an already-compromised app stack
  • MFA is usually absent for DB auth, but PAM/LDAP controls, secret rotation, and scoped service accounts reduce usable access
Detection/coverage: Brute-force and unusual logins are detectable in MySQL audit/general logs, PAM/LDAP telemetry, and SIEM correlation, though many estates do not retain DB-auth logs long enough.
STEP 03

Trigger a vulnerable code path with crafted protocol or SQL

Once authenticated, the attacker uses a normal mysql client or a custom libmysql-based harness to send crafted requests that hit vulnerable parser, InnoDB, storage-engine, memcached, or replication code paths referenced in the CPU. For 5.6.x, Oracle's affected entries are mostly low-priv or high-priv authenticated network issues, plus the bundled zlib bug. This is not the same as dropping a public one-shot unauthenticated RCE exploit on an internet-facing edge service.
Conditions required:
  • Server actually runs Oracle MySQL 5.6.41 or earlier
  • The relevant vulnerable subsystem is present and reachable by the authenticated account
Where this breaks in practice:
  • Public, mature exploit tooling for these specific MySQL 5.6 CPU issues is sparse
  • Some paths are feature-dependent or require specific statements, privileges, or data layouts
  • Version-only scanner matches may be false positives when vendors backport fixes
Detection/coverage: Signature coverage is weak; expect version-based scanner detection, crash telemetry, error logs, and protocol anomaly detections rather than precise exploit signatures.
STEP 04

Cause outage or limited data impact

The most realistic business outcome is database-service instability, a crash, or abuse bounded by the privileges of the compromised database account. If the compromised account is a broad app account, blast radius can still be painful because one service credential often fronts a large amount of production data. But the exploit path is still narrower than a pre-auth network RCE because the attacker had to arrive with reachability and credentials already in hand.
Conditions required:
  • Authenticated session maintained long enough to exercise the bug
  • Target workload sensitive to MySQL crash or corruption
Where this breaks in practice:
  • Least-privileged service accounts cap direct blast radius
  • HA topologies, failover, and backups reduce long-term business impact
Detection/coverage: Operational monitoring usually catches the aftermath quickly: mysqld restarts, crash logs, replication errors, or sudden app failures.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence found that the MySQL 5.6 October 2018 CPU issues in this plugin are in CISA KEV, and I found no authoritative active-exploitation reporting tied to the 5.6-specific server CVEs.
Proof-of-concept availabilityI found no widely adopted public MySQL-specific exploit chain for the 5.6-authenticated CPU items. The bundled zlib issue (CVE-2016-9843) has public research/fix references and third-party PoC indexing, but that is not the same as a clean weaponized MySQL pre-auth exploit.
EPSSRepresentative max-score driver CVE-2016-9843 currently shows EPSS about 0.15071 with percentile about 0.947 in Docker Scout data. Treat that carefully: it reflects the generic zlib CVE, not a proven enterprise-scale MySQL 5.6 exploit path.
KEV statusNot KEV-listed for the representative CVEs reviewed (CVE-2016-9843, CVE-2018-3143) as checked against the CISA Known Exploited Vulnerabilities Catalog.
CVSS reality checkTenable surfaces a Critical 9.8 because the plugin inherits the bundle's worst CVSS (CVE-2016-9843, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). But Oracle's own 5.6-server rows in this CPU are mostly authenticated MySQL-protocol issues, which is a materially narrower real-world path.
Affected versionsPlugin scope is Oracle MySQL 5.6.x < 5.6.42; Oracle's CPU matrix explicitly lists many relevant MySQL Server issues as affecting 5.6.41 and prior.
Fixed versionsOracle fixed this plugin's branch at 5.6.42. Be careful with distro ecosystems: Ubuntu and Red Hat ship packaged/backported variants where vulnerable-code status may not map cleanly to upstream Oracle version strings.
Exposure populationExposure is meaningful only where MySQL is reachable. Shadowserver reported over 3.6 million exposed MySQL servers on 3306/TCP, proving the internet attack surface exists, but that is global exposure data, not proof your enterprise databases are public.
Disclosure timelineOracle published the CPU on 2018-10-16; MySQL 5.6.42 GA followed on 2018-10-22. MySQL 5.6 itself reached end of life on 2021-02-05, which raises platform risk even if this specific CPU is only medium-priority.
Detection caveatTenable states the plugin did not test exploitability and relied on the application's self-reported version number. That means strong coverage for inventory, weak coverage for true exposure, backport awareness, and reachability context.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.8/10)

The single biggest reason this drops to MEDIUM is that the practical exploit chain usually requires authenticated remote MySQL access, which means the attacker already has database credentials or an app-tier foothold. That sharply reduces the exposed population compared with a true unauthenticated edge-service RCE, even though the inherited bundle score makes the plugin look far worse.

HIGH Affected version range and fixed release (`5.6.41 and prior` -> `5.6.42`)
MEDIUM Real-world exploitability assessment for the whole plugin bundle rather than a single CVE
MEDIUM Lack of active exploitation or KEV evidence

Why this verdict

  • Baseline starts high, then falls fast: the plugin inherits a worst-case 9.8 bundle score, but that score is driven by CVE-2016-9843 and does not represent the typical exploit path for the 5.6-specific MySQL Server issues.
  • Authentication is the decisive friction: Oracle's October 2018 matrix marks the reviewed MySQL Server entries affecting 5.6.41 and prior as not remotely exploitable without authentication. Requiring DB credentials implies prior compromise, secret theft, or app access.
  • Reachable population is narrower than the score implies: many enterprise MySQL servers are not directly internet-facing, so the attacker often also needs internal network position. Internal-only reachability compounds the downgrade because it assumes the attacker is already past the perimeter.
  • Public weaponization looks weak: I did not find a mature, widely referenced public exploit chain for the authenticated MySQL 5.6 CPU items. That lowers urgency versus bugs with turnkey Metasploit/Nuclei/one-click exploit coverage.
  • Scanner certainty is limited: Tenable says detection is version-only, not exploit-based. That means you should treat this as a strong inventory signal, not proof of reachable exploitable risk on every host.

Why not higher?

This is not higher because the real attack path is usually post-authentication and often post-initial-access. A vulnerability that needs internal reachability plus MySQL credentials is simply not in the same class as an unauthenticated internet-facing RCE, no matter what the inherited top CVSS in the bundle says.

Why not lower?

This is not lower because exposed MySQL services still exist in the wild, and a compromised app or reused DB credential can make exploitation practical. Also, anyone still running MySQL 5.6 is carrying legacy operational risk, so even a downgraded CPU finding should not be hand-waved away.

05 · Compensating Control

What to do — in priority order.

  1. Restrict MySQL reachability — Move listeners behind private subnets, host firewalls, or allowlists so only app tiers and admin jump hosts can reach 3306/TCP. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but for internet-exposed instances do this immediately as standard exposure reduction.
  2. Rotate and scope database credentials — Reduce the odds that an attacker can satisfy the main exploit prerequisite by rotating service-account secrets, removing dormant accounts, and cutting grants to least privilege. There is no mitigation SLA for MEDIUM, so fold this into normal credential-hardening work while staying inside the <=365 day remediation window.
  3. Validate backports before forcing upgrades — If the host runs a distro-packaged MySQL or a derivative, check vendor advisories and package changelogs before assuming the upstream Oracle version string tells the whole truth. This avoids unnecessary emergency change risk while you remediate within the MEDIUM window.
  4. Monitor for direct database access — Alert on new source IPs, unusual DB usernames, brute-force attempts, and interactive logins to production MySQL servers. This does not remove the bug, but it raises the chance you catch the credential-compromise step that usually comes first.
What doesn't work
  • A WAF does not meaningfully help if attackers connect directly to the MySQL protocol; this is not an HTTP edge issue.
  • Closing only the web tier while leaving 3306/TCP broadly reachable does not address the actual prerequisite.
  • Treating the 9.8 bundle score as standalone truth does not work here; it ignores authentication and reachability friction.
06 · Verification

Crowdsourced verification payload.

Run this on the target MySQL host or inside the database container/VM. Invoke it as bash verify-mysql-118234.sh with standard user rights if mysqld or mysql is in PATH; root is only needed if you must read restricted process paths. The script checks whether the host matches this specific plugin scope: Oracle MySQL 5.6.x < 5.6.42.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify-mysql-118234.sh
# Determine whether the local host matches Tenable plugin 118234 scope:
# Oracle MySQL 5.6.x prior to 5.6.42
# Outputs: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_FIXED="5.6.42"

get_version() {
  local out ver

  if command -v mysqld >/dev/null 2>&1; then
    out="$(mysqld --version 2>/dev/null || true)"
    ver="$(printf '%s' "$out" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)"
    if [ -n "${ver:-}" ]; then
      printf '%s' "$ver"
      return 0
    fi
  fi

  if command -v mysql >/dev/null 2>&1; then
    out="$(mysql --version 2>/dev/null || true)"
    ver="$(printf '%s' "$out" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)"
    if [ -n "${ver:-}" ]; then
      printf '%s' "$ver"
      return 0
    fi
  fi

  if command -v mysqladmin >/dev/null 2>&1; then
    out="$(mysqladmin version 2>/dev/null || true)"
    ver="$(printf '%s' "$out" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)"
    if [ -n "${ver:-}" ]; then
      printf '%s' "$ver"
      return 0
    fi
  fi

  return 1
}

version_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ] && [ "$1" != "$2" ]
}

version="$(get_version || true)"

if [ -z "${version:-}" ]; then
  echo "UNKNOWN: could not determine local MySQL version"
  exit 2
fi

major_minor="$(printf '%s' "$version" | cut -d. -f1-2)"

if [ "$major_minor" != "5.6" ]; then
  echo "PATCHED: host is running MySQL $version (not in plugin 118234's 5.6.x scope)"
  exit 0
fi

if version_lt "$version" "$TARGET_FIXED"; then
  echo "VULNERABLE: MySQL $version is older than fixed version $TARGET_FIXED"
  exit 1
fi

echo "PATCHED: MySQL $version is at or above fixed version $TARGET_FIXED"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: use this plugin as a legacy-MySQL inventory and exposure triage item, not a panic patch. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; validate which flagged hosts are truly Oracle MySQL 5.6.x, prioritize any that are internet-reachable or hold broad app credentials, and complete the actual move to 5.6.42+ or, better, off the dead 5.6 branch within the noisgate remediation SLA of <=365 days. If any 3306/TCP listeners are public, cut exposure first even though this specific finding is not a KEV-style emergency.

Sources

  1. Tenable Nessus Plugin 118234
  2. Oracle Critical Patch Update - October 2018
  3. MySQL 5.6 Release Notes PDF
  4. NVD CVE-2016-9843
  5. Ubuntu CVE-2018-3143
  6. Red Hat Bugzilla CVE-2018-3143
  7. Shadowserver Accessible MySQL Server Report
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.