[Webmakers] Mysql database changes for state websites

[Kurt Huhn]

All,

As you are probably aware, there was an incident a couple weeks ago regarding on of the State's websites.  While that incident appeared isolated and did not affect other websites, we are proactively taking steps in order to mitigate any further risk of attack.

Part of our mitigation strategy is to change any database access that originates from the Statewide web server (Soriweb) to have read-only permissions.  This will help prevent database corruption from malicious individuals or organizations that may attempt to exploit vulnerabilities in website code and user account permissions.

We have already begun this process, and have thoroughly tested a handful of websites.  By the end of the business day today, all other accounts will reflect the changes we have made to the test subset.  This should not impact the functionality of your websites, but it will impact your ability to update your database until a new user account is created with new credentials.  Generally the creation of this account takes only a few moments, but it will require some changes on your side to whatever process, procedure, or scripts you run from internal systems to the mysql server in the DMZ.

There are, of course, some exceptions, and those will be dealt with on an individual basis.  If you have an application that is served from Soriweb, uses the mysql database, and requires write (update, insert) access to your database, please let me know ASAP.  The best way of getting my attention in this regard is to open a Service Desk ticket, that way I can easily track these requests without them getting lost in my inbox.

Please email me with questions.

--Kurt


-- 

Kurt Huhn
kurt.huhn at doit.ri.gov
Unix, Linux, TSM, and Storage Administration
DOA, DoIT, State of RI 
50 Service Avenue
Warwick, RI 02886
401.462.4736