Bug 1894919 (CVE-2020-15180)
| Summary: | CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | damien.ciabrini, databases-maint, dbecker, dciabrin, fdinitto, hhorak, jjoyce, jorton, jschluet, lhh, ljavorsk, lpeer, mbayer, mburns, mkocka, mmuzila, mschorm, sclewis, slinaber, SpikeFedora |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mariadb 10.1.47, mariadb 10.2.34, mariadb 10.3.25, mariadb 10.4.15, mariadb 10.5.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-30 17:34:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1894931, 1894932, 1894933, 1894934, 1894935, 1894936, 1894937, 1895500, 1895501, 1895502, 1895503, 1895504, 1895505, 1895506, 1896932 | ||
| Bug Blocks: | 1894925 | ||
|
Description
Michael Kaplan
2020-11-05 12:38:44 UTC
Created galera tracking bugs for this issue: Affects: epel-7 [bug 1894933] Affects: fedora-all [bug 1894932] Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1894931] Created mariadb:10.3/galera tracking bugs for this issue: Affects: fedora-all [bug 1894935] Created mariadb:10.3/mariadb tracking bugs for this issue: Affects: fedora-all [bug 1894934] Created mariadb:10.4/galera tracking bugs for this issue: Affects: fedora-all [bug 1894937] Created mariadb:10.4/mariadb tracking bugs for this issue: Affects: fedora-all [bug 1894936] The information included in comment 0 was quoted from the Percona blog post: https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/ MariaDB upstream bug and commit: https://jira.mariadb.org/browse/MDEV-23884 https://github.com/MariaDB/server/commit/418850b2df MariaDB corrected this issue in versions 10.1.47, 10.2.34, 10.3.25, 10.4.15, and 10.5.6. Percona XtraDB Cluster upstream bug (which remains non-public) and commits: https://jira.percona.com/browse/PXC-3392 https://github.com/percona/percona-xtradb-cluster/commit/8a338477c9184dd0e03a5c661e9c3a79456de8a4 https://github.com/percona/percona-xtradb-cluster/commit/e9c63ff4bd34404fd3fde6802013ffeac950c0d1 Galera Cluster upstream announcement and the fix for mysql-wsrep part of the Galera Cluster: https://galeracluster.com/2020/10/galera-cluster-for-mysql-5-6-49-5-7-31-and-8-0-21-released/ https://github.com/codership/mysql-wsrep/commit/4ea4b0c6a318209ac09b15aaa906c7b4a13b988c Flaw summary: Due to insufficient input sanitization, the mysql-wsrep component of Galera Cluster is vulnerable to command injection in the `wsrep_sst_method` field, which specifies the State Snapshot Transfer method[1]. The contents of `wsrep_sst_method` later get passed to pthread_create() as arguments. This allows for remote command injection across Galera Cluster nodes (joiner -> donor and locally to joiner) when a new node joins the cluster. The patch introduces several routines and uses them in `wsrep_sst_donate_cb()` that check the `wsrep_sst_method` for valid input, and error otherwise. 1. https://mariadb.com/kb/en/introduction-to-state-snapshot-transfers-ssts/ Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Statement: galera packages as shipped with Red Hat Enterprise Linux and Red Hat Software Collections are not affected because they do not contain the vulnerable mysql-wsrep component. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5246 https://access.redhat.com/errata/RHSA-2020:5246 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15180 This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2020:5379 https://access.redhat.com/errata/RHSA-2020:5379 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5500 https://access.redhat.com/errata/RHSA-2020:5500 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5654 https://access.redhat.com/errata/RHSA-2020:5654 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5663 https://access.redhat.com/errata/RHSA-2020:5663 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:5665 https://access.redhat.com/errata/RHSA-2020:5665 |