Bug 1509475 (CVE-2018-2696)
Summary: | CVE-2018-2696 mysql: sha256_password authentication DoS via long password | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | apevec, chrisw, databases-maint, dciabrin, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, kvolny, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, security-response-team, slinaber, srevivo, tdecacqu, thoger | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | mysql 5.6.39, mysql 5.7.21 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-03-26 11:30:25 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1533831, 1533832, 1533833, 1533834, 1535520 | ||||||
Bug Blocks: | 1509486, 1535524 | ||||||
Attachments: |
|
Description
Tomas Hoger
2017-11-03 21:13:01 UTC
Acknowledgments: Name: Red Hat Product Security Created attachment 1348482 [details]
Proposed fix
I believe setting arbitrary password length limit is the way to fix this issue. The alloca() problem can be fixed without such limit, but the CPU usage DoS can only be addressed by limiting the size of the key / password passed to the my_crypt_genhash() function. Changing the hashing itself would not be backwards compatible. The only question is the actual limit value.
This issue was fixed in MySQL 5.6.39 and 5.7.21: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-39.html https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html Incompatible Change: Passwords are now restricted to a maximum of 256 characters for the sha256_password authentication plugin, and for the PASSWORD() function when old_passwords=2. Also, the number of password hashing rounds is capped to limit CPU time used. (Bug #27099029, Bug #27194270) Upstream commit: https://github.com/mysql/mysql-server/commit/475dcde2c7856dd0050b967099a86c087d94f32f This is now also public via Oracle CPU January 2018: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0587 https://access.redhat.com/errata/RHSA-2018:0587 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0586 https://access.redhat.com/errata/RHSA-2018:0586 |