Bug #58152 Option to hide server version
Submitted: 12 Nov 2010 2:26
Reporter: Mikiya Okuno Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Options Severity:S4 (Feature request)
Version:any OS:Any
Assigned to: CPU Architecture:Any

[12 Nov 2010 2:26] Mikiya Okuno
Displaying version number gives a cracker an opportunity to attack known security bugs if the version is old. Hiding version number may reduce opportunities to attack an security hole which is open in a certain version only.

How to repeat:

Suggested fix:
Please add an option like --blind-version or similar for mysqld.
[12 Nov 2010 2:33] Davi Arnaut
Can't the cracker just attempt to use the exploit?
[12 Nov 2010 9:50] MySQL Verification Team

Yeah, you're right. By hiding version information, an attacker must guess whether an exploit. This will cause some failed attempts to attack the server, then logs may give the defender a chance to block an attacker.
[7 Jun 2012 7:10] MySQL Verification Team
I believe an unauthenticated user should not need to know the exact version.  They should know just enough to get authenticated, but not more.

"telnet <IP> 3306" will give it to any host that is allowed.

I guess it's okay for an authenticated user to see the version via SELECT VERSION().
[29 Mar 2021 6:27] xingchen lu
Hi Dev team,any plan to fix this problem ?
[29 Mar 2021 6:28] xingchen lu
Hi Dev team,any plan to fix this problem ?