4.4 Harden Usage for 'local_infile' on MySQL Clients

Information

The local_infile parameter dictates whether files located on the MySQL client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file.

Rationale:

For MySQL client programs and connectors prior to 8.0.21, disabling local_infile reduces an attacker's ability to read sensitive files off the affected server via an SQL injection vulnerability.

Impact:

Disabling local_infile will impact the functionality of solutions that rely on it.

Solution

Upgrade all MySQL clients and connectors to 8.0.21 or higher.

In the case where using local_infile is needed, the following changes further harden security:

On client side, secure by:

Limiting the location from where data can be read using --load-data-local-dir.

mysql --local-infile=0 --load-data-local-dir=/my/local/data

Adding TLS connection to assure server identity by requiring verification.

mysql --local-infile=0 --load-data-local-dir=/my/local/data --ssl-mode=VERIFY_IDENTITY

If local_infile is not in use or if clients are not upgraded - add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:

local-infile=0

Default Value:

0 (OFF)

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|4.7

Plugin: MySQLDB

Control ID: 66fd32454a98ebfc1ddf9276125a43a9fc27c9be0c4167d75a3915609a832633