Bug 1568932 (CVE-2018-2773) - CVE-2018-2773 mysql: pid file can be created in a world-writeable directory (CPU Apr 2018)
Summary: CVE-2018-2773 mysql: pid file can be created in a world-writeable directory (...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-2773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1568962 1568963 1568964 1571158 1571174 1571242 1642523
Blocks: 1568977
TreeView+ depends on / blocked
 
Reported: 2018-04-18 12:32 UTC by Adam Mariš
Modified: 2021-09-09 13:44 UTC (History)
25 users (show)

Fixed In Version: mysql 5.5.60, mysql 5.6.40, mysql 5.7.22
Clone Of:
Environment:
Last Closed: 2018-11-26 20:38:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1254 0 None None None 2018-04-26 07:27:14 UTC
Red Hat Product Errata RHSA-2018:3655 0 None None None 2018-11-26 12:30:54 UTC

Description Adam Mariš 2018-04-18 12:32:55 UTC 
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Comment 1 Adam Mariš 2018-04-18 12:50:30 UTC 
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1568963]


Created mariadb tracking bugs for this issue:

Affects: fedora-27 [bug 1568962]
Affects: fedora-26 [bug 1568964]
Comment 4 errata-xmlrpc 2018-04-26 07:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:1254 https://access.redhat.com/errata/RHSA-2018:1254
Comment 5 Tomas Hoger 2018-07-13 19:50:32 UTC 
More details about this issue can be found in the MariaDB bug tracker:

https://jira.mariadb.org/browse/MDEV-13402

That bug notes there are actually two issues related to this CVE:

* Pid file created by mysql user is read by root when stopping mysqld

This is the problem that was reported to both Oracle and MariaDB.  The problem is that mysqld creates pid file after dropping privileges to the mysql user and it is stored in a directory that is either owned or writeable to the mysql user.  However, during the service shutdown, the pid file is read by the init script run as root and the process with id from the pid filed is killed.  Therefore, they mysql system user can use this to cause any system process to be killed by manipulating the contents of the pid file.

* Pid file can be created in a world-writeable directory

The above problem described in the report is not what was fixed in MySQL versions 5.5.60, 5.6.40, and 5.7.22.  The following patch was applied:

https://github.com/mysql/mysql-server/commit/ecc5a07874d

This change causes mysqld to log a warning when pid file is configured to be stored in a world-writeable directory.  If that happens, any system user would be able to cause arbitrary process to be killed during thy mysqld shutdown.  However, this should definitely be considered a mis-configuration, and hence the fix is more of a hardening.  Additionally, the fix does not prevent pid creation in such a case, it only leads to a warning being logged.

Considering this CVE to apply to the hardening that was applied.  Future fixes to address the original problem, if any, should get a different CVE id.

MariaDB upstream does not seem to be planning to apply this hardening with questionable benefits.
Comment 6 Tomas Hoger 2018-07-13 19:59:13 UTC 
Note that the original problem is relevant to systems where SysV init script is used to start and stop mysqld.  The script, as well as the kill command run to signal running mysqld process, runs with root privileges and hence can kill processes the mysql user can not kill.

The issue is not applicable to MySQL and MariaDB packages as shipped with Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 7 as start-up and shutdown of the service is managed by systemd.  The pid file created by mysqld is not used during service shutdown.
Comment 7 errata-xmlrpc 2018-11-26 12:30:44 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2018:3655 https://access.redhat.com/errata/RHSA-2018:3655
Note You need to log in before you can comment on or make changes to this bug.