Magellan: SQLite vulnerability puts Million Apps at Risk

[German]Security researchers have discovered a critical vulnerability (Magellan) in the widely used SQLite database software. This could allow attackers to remotely execute arbitrary or malicious code on affected devices.


Advertising

What's SQLite?

SQLite is a widely used relational database management system that has minimal requirements from operating systems or external libraries. Therefore it is compatible with almost all devices, platforms and programming languages and is widely used for data storage in app and application development.

The SQLite vulnerability

The Hacker News reported here that Tencent's Blade security team has discovered a vulnerability, named Magellan, in SQLite. This vulnerability in in older SQLite versions could allow attackers to execute arbitrary code on affected devices over the Internet or a network. 

The problem is that SQL is not only used by millions of apps and applications, but also by browsers based on Chromium. So anyone using an SQL dependant app, application or Chromium-based browser may be vulnerable.

So far, however, the discoverers of the vulnerability have not been aware of any cases in which it has been exploited. For security reasons, security specialists do not disclose details of the vulnerability.

When will the vulnerability be fixed?

SQLite has released version 3.26.0, which  fixes the bug. Users can only rely on developers who use SQLite in their apps and applications to create and deliver an update of the SQLite libraries used to this version.


Advertising

For the Google Chrome browser and all other browsers based on Chromium, the SQLite vulnerability should be fixed with Chromium version 71.0.3578.80 (released December 4, 2018).


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).