Multiple cases of insecure use of chmod and chown were found in the MySQL init script: - In database directory initialization code: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L97 - In code handling error log file creation and permission setting: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L73 The mysql OS user could use these flaws to escalate privileges to root. Note that the second issue is only exploitable in configurations where log file is stored in a directory writable to the mysql OS user. If log file is stored in the /var/log directory, mysql user is not able to replace it with a link to some other file. This issue was fixed in MySQL versions 5.5.54, 5.6.35, and 5.7.17. The following related entry can be found in the release notes: Initialization scripts create the error log file only if the base directory is /var/log or /var/lib. http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html MySQL upstream commit: https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-5fccc3d0e109e8f9ad0653728bd1d975
The CVE was made public via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1414387]
Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1414386]
This flaw is in the SysV init script used in upstream RPM packages for Red Hat Enterprise Linux and Oracle Enterprise Linux. Red Hat MySQL packages does not use init script from MySQL sources, but include own init script. However, these init scripts have common origin and share this issue. mysql packages in Red Hat Enterprise Linux 5 and 6 are affected and contain the vulnerable code in /etc/rc.d/init.d/mysqld. mysql55-mysql packages in Red Hat Enterprise Linux 5 are affected, init script is /etc/rc.d/init.d/mysql55-mysqld. mariadb packages in Red Hat Enterprise Linux 7 do not include init script as the system uses systemd. The affected code can be found in /usr/libexec/mariadb-prepare-db-dir which is run as ExecStartPre script as defined in the mariadb.service systemd unit file. As all commands executed from the mariadb.service unit are run with mysql OS user privileges, root privilege escalation is not possible. It would only be possible if the script was manually run by the root user. rh-mysql56-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 include the affected code in /opt/rh/rh-mysql56/root/usr/libexec/mysql-prepare-db-dir, which is called by the init script. Issues were partially addressed in the recent RHSA-2016:2749, which removed recursive chown of the data directory, and added an incomplete symlink check for the error log file. rh-mysql56-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 7 include the same version of the mysql-prepare-db-dir script as is used for Red Hat Enterprise Linux 6. The script is configured as ExecStartPre in the rh-mysql56-mysqld.service unit file. However, unlike mariadb packages in Red Hat Enterprise Linux 7, pre-start scripts are run with root privileges rather than mysql user privileges (configured using PermissionsStartOnly=true). rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the affected code in /opt/rh/rh-mysql57/root/usr/libexec/mysql-prepare-db-dir. The script is run form the rh-mysql57-mysqld init script or the rh-mysql57-mysqld.service systemd unit, and in both cases it's run with mysql user privileges, and therefore root privilege escalation is not possible. rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat Enterprise Linux 7 include additional systemd unit - rh-mysql57-mysqld@.service - which runs another pre-start script - /opt/rh/rh-mysql57/root/usr/bin/mysqld_pre_systemd. The script is run with root privileges, and contains similar vulnerable code for creating and setting permissions on the error log file. However, this unit file does not properly set environment before running mysqld, causing it to fail to run. Therefore, the unit file is very unlikely to be used. rh-mariadb100-mariadb packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the vulnerable code in /opt/rh/rh-mariadb100/root/usr/libexec/mysql-prepare-db-dir. The script is run from the rh-mariadb100-mariadb init script or rh-mariadb100-mariadb.service systemd unit. On Red Hat Enterprise Linux 6, the script is run with root privileges, but it's run with mysql privileges on Red Hat Enterprise Linux 7. Therefore, privilege escalation is only possible on Red Hat Enterprise Linux 6. rh-mariadb101-mariadb packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 include the vulnerable code in /opt/rh/rh-mariadb101/root/usr/libexec/mysql-prepare-db-dir. The script is run from the rh-mariadb101-mariadb init script or rh-mariadb101-mariadb.service and rh-mariadb101-mariadb@.service systemd units. Similarly to the rh-mariadb100 collection, the script is only run with root privileges on Red Hat Enterprise Linux 6, making only that version vulnerable to the privilege escalation issue. mariadb-galera packages in Red Hat Enterprise Linux OpenStack Platform 5 for Red Hat Enterprise Linux 6 include the vulnerable code in the /etc/rc.d/init.d/mysqld init script and are affected by this problem. mariadb-galera packages in Red Hat Enterprise Linux OpenStack Platform 5, 6, 7, 8, 9, and 10 for Red Hat Enterprise Linux 7 include the vulnerable code in /usr/libexec/mariadb-prepare-db-dir, which is run as pre-start script from the mariadb.service systemd unit. The script is run with mysql user privileges and therefore no privilege escalation is possible.
(In reply to Tomas Hoger from comment #5) > rh-mysql57-mysql packages in Red Hat Software Collections for Red Hat > Enterprise Linux 7 include additional systemd unit - > rh-mysql57-mysqld@.service - which runs another pre-start script - > /opt/rh/rh-mysql57/root/usr/bin/mysqld_pre_systemd. The script is run with > root privileges, and contains similar vulnerable code for creating and > setting permissions on the error log file. This issue is addressed in MySQL 5.7.17: https://github.com/mysql/mysql-server/commit/76e9d7e5b30365e8b167e2070ee00f81cb115b8b https://github.com/mysql/mysql-server/commit/7a5145e445ee802241957eb5290a3e65ea4da70c
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574
Acknowledgments: Name: Red Hat Product Security