We're running a current version (5.0.x) of MySQL with Foglight and a security scan came up with the following vulnerability:
MySQL Command Line Client HTML Special Characters HTML Injection Vulnerability
How does this apply to Foglight?
The issue CVE-2008-4456, advisory is not relevant because we do not compose HTML from the command-line client.
The above advisory is for situations where the command line client "mysql" (which we don't use) outputs its results in HTML format via the --html option. The danger is that malicious scripts could be in the database. If the resulting HTML is directly loaded in a browser that malicious script could get executed.
But we don't use the command line client and you should not be using the database yourselves. It is only for Foglight.
All current 5.0 versions of the MySQL command line client are affected by CVE-2008-4456.
While Sun Microsystems is developing a fix for this, customers can avoid this vulnerability by removing the mysql executable found in $FGLHOME/mysql/bin (for the embedded MySQL Database). The command line client is not necessary for running the Foglight Management Server, however we do use it for support purposes. As such we recommend a back-up copy be maintained, and during any support case, the Support Engineer be informed that the executable has been removed.