Bug 1524234 (CVE-2017-15365)

Summary: CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, chrisw, databases-maint, dciabrin, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, slinaber, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mariadb 10.2.10, mariadb 10.1.30 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that MariaDB could replicate certain data definition language (DDL) commands to other cluster nodes despite an access control check failure. A user with an SQL access to the server could possibly use this flaw to perform database modification on certain cluster nodes without having privileges to perform such changes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-21 21:02:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1524235, 1524767, 1527365, 1558264, 1558265, 1701268    
Bug Blocks: 1523473    

Description Sam Fowler 2017-12-11 01:56:19 UTC 
MariaDB have noted in their release notes that reserved CVE-2017-15365 has been fixed in version 10.2.10[1], however they have not described how or what the vulnerability was. This CVE is also mentioned to affect Percona[2] with the fix is described as:

"Added access checks for DDL commands to make sure they do not get replicated if they failed without proper permissions"

A comparison with the MariaDB 10.2.10 changelog[3] and Percona description finds this commit[4], which seems a likely candidate for both describing and fixing the vulnerability.
The vulnerable code block in sql/event_data_objects.cc is also present in version 10.1, suggesting that it is also affected.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
[1] https://mariadb.com/kb/en/library/mariadb-10210-release-notes/
[2] https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html
[3] https://mariadb.com/kb/en/library/mariadb-10210-changelog/
[4] https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e
Comment 1 Sam Fowler 2017-12-11 01:57:06 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1524235]
Comment 2 Sam Fowler 2017-12-12 01:50:04 UTC 
Created mariadb tracking bugs for this issue:

Affects: openstack-rdo [bug 1524767]
Comment 5 Michal Schorm 2018-02-08 03:36:52 UTC 
Hi, upstream says on https://mariadb.com/kb/en/library/security/ that the issue has been fixed in both MariaDB 10.2.10, MariaDB 10.1.30.

There are no older versions present in Fedora.
Can I just close the Fedora bug, or do we need more complicate fix on downstream side?
Comment 6 Michal Schorm 2018-02-08 03:39:12 UTC 
Yeah, I'm so blind I can't even read my own notes.

The Fedora bug was left open till 10.2.10 released in F27.
I had long long troubles releasing that (and 10.2.12) update, and I forgot to add it to it as solved.
Comment 8 errata-xmlrpc 2019-05-21 19:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1258 https://access.redhat.com/errata/RHSA-2019:1258