Bug 1568932 (CVE-2018-2773)

Summary: CVE-2018-2773 mysql: pid file can be created in a world-writeable directory (CPU Apr 2018)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, chrisw, databases-maint, dciabrin, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, kbost, lhh, lpeer, markmc, mbayer, mburns, mkocka, mmuzila, mschorm, praiskup, rbryant, sclewis, slinaber, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql 5.5.60, mysql 5.6.40, mysql 5.7.22 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-26 20:38:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1568962, 1568963, 1568964, 1571158, 1571174, 1571242, 1642523    
Bug Blocks: 1568977    

Description Adam Mariš 2018-04-18 12:32:55 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Comment 1 Adam Mariš 2018-04-18 12:50:30 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1568963]


Created mariadb tracking bugs for this issue:

Affects: fedora-27 [bug 1568962]
Affects: fedora-26 [bug 1568964]

Comment 4 errata-xmlrpc 2018-04-26 07:27:01 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:1254 https://access.redhat.com/errata/RHSA-2018:1254

Comment 5 Tomas Hoger 2018-07-13 19:50:32 UTC
More details about this issue can be found in the MariaDB bug tracker:

https://jira.mariadb.org/browse/MDEV-13402

That bug notes there are actually two issues related to this CVE:

* Pid file created by mysql user is read by root when stopping mysqld

This is the problem that was reported to both Oracle and MariaDB.  The problem is that mysqld creates pid file after dropping privileges to the mysql user and it is stored in a directory that is either owned or writeable to the mysql user.  However, during the service shutdown, the pid file is read by the init script run as root and the process with id from the pid filed is killed.  Therefore, they mysql system user can use this to cause any system process to be killed by manipulating the contents of the pid file.

* Pid file can be created in a world-writeable directory

The above problem described in the report is not what was fixed in MySQL versions 5.5.60, 5.6.40, and 5.7.22.  The following patch was applied:

https://github.com/mysql/mysql-server/commit/ecc5a07874d

This change causes mysqld to log a warning when pid file is configured to be stored in a world-writeable directory.  If that happens, any system user would be able to cause arbitrary process to be killed during thy mysqld shutdown.  However, this should definitely be considered a mis-configuration, and hence the fix is more of a hardening.  Additionally, the fix does not prevent pid creation in such a case, it only leads to a warning being logged.

Considering this CVE to apply to the hardening that was applied.  Future fixes to address the original problem, if any, should get a different CVE id.

MariaDB upstream does not seem to be planning to apply this hardening with questionable benefits.

Comment 6 Tomas Hoger 2018-07-13 19:59:13 UTC
Note that the original problem is relevant to systems where SysV init script is used to start and stop mysqld.  The script, as well as the kill command run to signal running mysqld process, runs with root privileges and hence can kill processes the mysql user can not kill.

The issue is not applicable to MySQL and MariaDB packages as shipped with Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 7 as start-up and shutdown of the service is managed by systemd.  The pid file created by mysqld is not used during service shutdown.

Comment 7 errata-xmlrpc 2018-11-26 12:30:44 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2018:3655 https://access.redhat.com/errata/RHSA-2018:3655