MySQL Security Advisory & RDS

AWS provides a very useful page where you can find all the latest security bullettins. That’s the main point of reference about MySQL and┬áCommon Vulnerabilities and Exposures (CVE). Even approaching AWS (opening a ticket with business support) still brings to that page as the official source:

Any official announcement related to the CVE’s will be posted on the following site:
https://aws.amazon.com/security/security-bulletins/

There is even a Security Bulletin RSS Feed. So far so good.

But how fast is AWS in reacting to MySQL security advisories? Let’s consider the latest two available on the page:

untitled

If you double check CVE-2016-6663 and CVE-2016-6664, the vulnerabilities were disclosed on November 2nd. Percona released a statement and patches for all supported releases the same day. MariaDB addressed the topic the same day as well . MySQL was already patched when the vulnerabilities were disclosed.

What about RDS?

The RDS team took almost 10 days to provide a statement on the topic. The fact that those issues did not apply at the end to RDS is not very relevant:

We have determined that AWS customers’ resources are not affected by these issues.

But either the team did not know until so late or they forgot to update the users. What about CVE-2016-6662? You can find a very similar pattern on the previous vulnerability. It takes longer to AWS to provide a statement than to other MySQL vendors to release a patch. Somehow surprising.

Other options?

To mitigate risks and be always up to date on MySQL related announcements, it’s better to subscribe to multiple sources including: