Bug 1940909 (CVE-2021-27928)

Summary: CVE-2021-27928 mariadb: writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: damien.ciabrini, databases-maint, dbecker, dciabrin, dmoppert, hhorak, jjoyce, jorton, jschluet, lhh, ljavorsk, lpeer, mbayer, mburns, mkocka, mmuzila, mschorm, sclewis, slinaber, SpikeFedora, tvainio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mariadb 10.2.37, mariadb 10.3.28, mariadb 10.4.18, mariadb 10.5.9 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in mariadb and in the mysql wsrep patch that allows remote code execution. A user with SUPER privileges could execute arbitrary shell commands in the context of the mariadb server process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-30 17:35:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1940911, 1940912, 1940913, 1940914, 1941387, 1941417, 1941418, 1941419, 1941420, 1941421, 1941423, 1941424, 1941425, 1941426, 1941427, 1941428, 1941429, 1941430, 1941431, 1941501    
Bug Blocks: 1940915    

Description Guilherme de Almeida Suckevicz 2021-03-19 14:28:33 UTC 
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.

Reference:
https://jira.mariadb.org/browse/MDEV-25179
Comment 1 Guilherme de Almeida Suckevicz 2021-03-19 14:30:02 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940911]


Created mariadb:10.3/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940912]


Created mariadb:10.4/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940913]


Created mariadb:10.5/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940914]
Comment 2 Summer Long 2021-03-22 01:13:55 UTC 
External References:

https://mariadb.com/kb/en/mariadb-10237-release-notes/
https://mariadb.com/kb/en/mariadb-10328-release-notes/
https://mariadb.com/kb/en/mariadb-10418-release-notes/
https://mariadb.com/kb/en/mariadb-1059-release-notes/
Comment 3 Summer Long 2021-03-22 01:25:05 UTC 
Not verified, but looks like the upstream commit for 10.5.9 is: 
https://github.com/MariaDB/server/commit/ce3a2a688db556d8d077a409fd9bf5cc013d13dd
Comment 8 Doran Moppert 2021-03-22 06:16:37 UTC 
Mitigation:

Only users that have the SUPER privilege can exploit this flaw.  To reduce your exposure, ensure user accounts with the SUPER privilege are protected with strong credentials, only allowed to connect locally and not shared with untrusted parties.
Comment 12 errata-xmlrpc 2021-03-30 14:14:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2021:1039 https://access.redhat.com/errata/RHSA-2021:1039
Comment 13 Product Security DevOps Team 2021-03-30 17:35:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27928
Comment 16 errata-xmlrpc 2021-04-19 10:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:1241 https://access.redhat.com/errata/RHSA-2021:1241
Comment 17 errata-xmlrpc 2021-04-19 10:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1242 https://access.redhat.com/errata/RHSA-2021:1242
Comment 18 errata-xmlrpc 2021-04-19 10:46:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1240 https://access.redhat.com/errata/RHSA-2021:1240
Comment 19 errata-xmlrpc 2021-05-19 09:47:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2040 https://access.redhat.com/errata/RHSA-2021:2040