Overview
Customers may enquire whether it is possible to upgrade the embedded MySQL on ScaleArc appliance to MySQL 5.6 or 5.7 to mitigate the CVE-2006-1516 (MySQL Anonymous Login Handshake Remote Information Disclosure) vulnerability.
Information
The CVE-2006-1516 vulnerability alert that often triggers the MySQL upgrade question is a false positive generated when Nessus is scanning the ScaleArc MySQL clusters hence the vulnerability alert can be safely ignored. See Embedded MySQL Marked As Vulnerable by Nessus (CVE-2006-1516) for more information on this issue.
Note that there are no immediate plans to upgrade the MySQL package to a new version. All recent ScaleArc versions are based on CentOS 7.5, with the latest release (ScaleArc 2021.1) running an embedded version of MySQL 5.5.65 which is not susceptible to the CVE-2006-1516 vulnerability.
The mariadb and mariadb-libs packages are tied to the 5.5.65 version present in CentOS 7.5 therefore if either package is upgraded externally, a future ScaleArc upgrade could fail due to package dependency pre-checks.
Comments
0 comments
Please sign in to leave a comment.