Bug 1414423 (CVE-2017-3265)
| Summary: | CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apevec, avibelli, ayoung, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, duge, gsterlin, hhorak, jbalunas, jjoyce, jorton, jschluet, jshepherd, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, rbryant, rrajasek, sclewis, slinaber, srevivo, tdecacqu, tjay, tkirby |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
Multiple flaws were found in the way the MySQL init script handled initialization of the database data directory and permission setting on the error log file. The mysql operating system user could use these flaws to escalate their privileges to root.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-21 14:49:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1414386, 1445537, 1445538, 1458940, 1463411, 1463412, 1463413, 1463414 | ||
| Bug Blocks: | 1414362 | ||
|
Description
Tomas Hoger
2017-01-18 13:05:49 UTC
The CVE was made public via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1414387] Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1414386] This flaw is in the SysV init script used in upstream RPM packages for Red Hat Enterprise Linux and Oracle Enterprise Linux. Red Hat MySQL packages does not use init script from MySQL sources, but include own init script. However, these init scripts have common origin and share this issue. mysql packages in Red Hat Enterprise Linux 5 and 6 are affected and contain the vulnerable code in /etc/rc.d/init.d/mysqld. mysql55-mysql packages in Red Hat Enterprise Linux 5 are affected, init script is /etc/rc.d/init.d/mysql55-mysqld. mariadb packages in Red Hat Enterprise Linux 7 do not include init script as the system uses systemd. The affected code can be found in /usr/libexec/mariadb-prepare-db-dir which is run as ExecStartPre script as defined in the mariadb.service systemd unit file. As all commands executed from the mariadb.service unit are run with mysql OS user privileges, root privilege escalation is not possible. It would only be possible if the script was manually run by the root user. rh-mysql56-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 include the affected code in /opt/rh/rh-mysql56/root/usr/libexec/mysql-prepare-db-dir, which is called by the init script. Issues were partially addressed in the recent RHSA-2016:2749, which removed recursive chown of the data directory, and added an incomplete symlink check for the error log file. rh-mysql56-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 7 include the same version of the mysql-prepare-db-dir script as is used for Red Hat Enterprise Linux 6. The script is configured as ExecStartPre in the rh-mysql56-mysqld.service unit file. However, unlike mariadb packages in Red Hat Enterprise Linux 7, pre-start scripts are run with root privileges rather than mysql user privileges (configured using PermissionsStartOnly=true). rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the affected code in /opt/rh/rh-mysql57/root/usr/libexec/mysql-prepare-db-dir. The script is run form the rh-mysql57-mysqld init script or the rh-mysql57-mysqld.service systemd unit, and in both cases it's run with mysql user privileges, and therefore root privilege escalation is not possible. rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 7 include additional systemd unit - rh-mysql57-mysqld@.service - which runs another pre-start script - /opt/rh/rh-mysql57/root/usr/bin/mysqld_pre_systemd. The script is run with root privileges, and contains similar vulnerable code for creating and setting permissions on the error log file. However, this unit file does not properly set environment before running mysqld, causing it to fail to run. Therefore, the unit file is very unlikely to be used. rh-mariadb100-mariadb packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the vulnerable code in /opt/rh/rh-mariadb100/root/usr/libexec/mysql-prepare-db-dir. The script is run from the rh-mariadb100-mariadb init script or rh-mariadb100-mariadb.service systemd unit. On Red Hat Enterprise Linux 6, the script is run with root privileges, but it's run with mysql privileges on Red Hat Enterprise Linux 7. Therefore, privilege escalation is only possible on Red Hat Enterprise Linux 6. rh-mariadb101-mariadb packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the vulnerable code in /opt/rh/rh-mariadb101/root/usr/libexec/mysql-prepare-db-dir. The script is run from the rh-mariadb101-mariadb init script or rh-mariadb101-mariadb.service and rh-mariadb101-mariadb@.service systemd units. Similarly to the rh-mariadb100 collection, the script is only run with root privileges on Red Hat Enterprise Linux 6, making only that version vulnerable to the privilege escalation issue. mariadb-galera packages in Red Hat Enterprise Linux OpenStack Platform 5 for Red Hat Enterprise Linux 6 include the vulnerable code in the /etc/rc.d/init.d/mysqld init script and are affected by this problem. mariadb-galera packages in Red Hat Enterprise Linux OpenStack Platform 5, 6, 7, 8, 9, and 10 for Red Hat Enterprise Linux 7 include the vulnerable code in /usr/libexec/mariadb-prepare-db-dir, which is run as pre-start script from the mariadb.service systemd unit. The script is run with mysql user privileges and therefore no privilege escalation is possible. (In reply to Tomas Hoger from comment #5) > rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat > Enterprise Linux 7 include additional systemd unit - > rh-mysql57-mysqld@.service - which runs another pre-start script - > /opt/rh/rh-mysql57/root/usr/bin/mysqld_pre_systemd. The script is run with > root privileges, and contains similar vulnerable code for creating and > setting permissions on the error log file. This issue is addressed in MySQL 5.7.17: https://github.com/mysql/mysql-server/commit/76e9d7e5b30365e8b167e2070ee00f81cb115b8b https://github.com/mysql/mysql-server/commit/7a5145e445ee802241957eb5290a3e65ea4da70c This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574 Acknowledgments: Name: Red Hat Product Security |