About 1.7 million MySQL and MariaDB servers that are exposed on the Internet and show the vulnerability. Of those, more than half (879,046)do not enforce host-based access controls that would compensate for the big security hole in their databases, Moore wrote.
Who is vulnerable? What can they do about it?
The vulnerability, identified as CVE-2012-2122 and was addressed in MySQL 5.1.63 and 5.5.25, which were released in May. The flaw was not widely identified, however, there is little information available and there was little publicity about the update, according to a story from the IDG News Service.
There has been no official patch because Oracle no longer supports version 4.0 of MySQL.
There is already at least one exploit available to take advantage of the flaw – a threaded brute-force module written by Jonathan Cran CTO of Pwnie Express, who also contributes to the open-source penetration-testing/hacking framework Metasploit.
The fix is pretty simple, too.
"The easiest thing to do is to modify the my.cnf file in order to restrict access to the local system," Moore wrote. "Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the 'bind-address' parameter to '127.0.0.1'. Restart the MySQL service to apply this setting."
Here is Rapid7's list of vulnerable editions of MySQL and MariaDB on various Linux distributions:
Confirmed as vulnerable: