On October 16th, Oracle announced security vulnerabilities and associated software patches affecting MySQL 5.5 and 5.6: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL. RDS instances following the best practices guideline of using restricted access security groups will be upgraded to MySQL 5.5.40 or 5.6.21, the new versions that have these patches, during their normal maintenance windows. For RDS instances where customers have configured unrestricted access from the Internet (e.g., CIDR rules with suffix /0), we recommend customers immediately change their security groups to restrict inbound access on database ports to only those source IP addresses from which legitimate connections to the database should originate. This will mitigate the security vulnerabilities. For information on reconfiguring the access to your database, please refer to: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html.
To fully address these vulnerabilities, your database instances must be upgraded to either MySQL 5.5.40 or 5.6.21. Amazon RDS will make the new MySQL versions available by 12:00 PM PDT on Friday, 17 Oct 2014. Customers may choose to manually upgrade their instances at that time or wait for the next regular maintenance window during which we will automatically perform the upgrades. At the time of the upgrade, your database instances (either Single-AZ or Multi-AZ) will undergo a reboot and will be unavailable for a few minutes.
Any RDS instances which continue to allow unrestricted access from the Internet by 12:00 PM PDT on Friday, 17 Oct 2014 will be automatically upgraded after that time, ahead of their maintenance window. In addition, 5.5 and 5.6 database instances which have not yet been upgraded by customers, regardless of the state of their security groups, will be upgraded during their maintenance windows between 12:00 PM PDT on Monday, 20 Oct 2014 and 11:59 PM PDT on Monday, 27 Oct 2014. You can upgrade at a time of your choosing before your maintenance window by using the Modify operation. Note that this mandatory upgrade will take place even if you selected 'No' for the Auto Minor Version Upgrade option.
For more information about these vulnerabilities, please visit:
- Oracle’s Critical Patch Update regarding these vulnerabilities (CVE-2014-6491, CVE-2014-6494, CVE-2014-6500, CVE-2014-6559) can be found at http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL
For more information about upgrading your database instance, please visit: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeInstance.html