Bug 1894919 (CVE-2020-15180) - CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
Summary: CVE-2020-15180 mariadb: Insufficient SST method name check leading to code in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-15180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1894931 1894932 1894933 1894934 1894935 1894936 1894937 1895500 1895501 1895502 1895503 1895504 1895505 1895506 1896932
Blocks: 1894925
TreeView+ depends on / blocked
 
Reported: 2020-11-05 12:38 UTC by Michael Kaplan
Modified: 2021-09-22 19:28 UTC (History)
20 users (show)

Fixed In Version: mariadb 10.1.47, mariadb 10.2.34, mariadb 10.3.25, mariadb 10.4.15, mariadb 10.5.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed: 2020-11-30 17:34:09 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:5318 0 None None None 2020-12-02 11:08:15 UTC
Red Hat Product Errata RHBA-2021:0025 0 None None None 2021-01-05 14:20:58 UTC
Red Hat Product Errata RHSA-2020:5246 0 None None None 2020-11-30 13:45:13 UTC
Red Hat Product Errata RHSA-2020:5379 0 None None None 2020-12-08 14:59:09 UTC
Red Hat Product Errata RHSA-2020:5500 0 None None None 2020-12-15 17:10:48 UTC
Red Hat Product Errata RHSA-2020:5654 0 None None None 2020-12-22 09:02:18 UTC
Red Hat Product Errata RHSA-2020:5663 0 None None None 2020-12-22 09:25:20 UTC
Red Hat Product Errata RHSA-2020:5665 0 None None None 2020-12-22 09:26:34 UTC

Description Michael Kaplan 2020-11-05 12:38:44 UTC
A malicious party with access to the WSREP service port (4567/TCP) as well as prerequisite knowledge of the configuration of the Galera cluster name is required in order to exploit this vulnerability, which leads to remote code execution via the WSREP protocol.

Comment 1 Michael Kaplan 2020-11-05 13:09:21 UTC
Created galera tracking bugs for this issue:

Affects: epel-7 [bug 1894933]
Affects: fedora-all [bug 1894932]


Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1894931]


Created mariadb:10.3/galera tracking bugs for this issue:

Affects: fedora-all [bug 1894935]


Created mariadb:10.3/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1894934]


Created mariadb:10.4/galera tracking bugs for this issue:

Affects: fedora-all [bug 1894937]


Created mariadb:10.4/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1894936]

Comment 2 Tomas Hoger 2020-11-06 09:12:26 UTC
The information included in comment 0 was quoted from the Percona blog post:

https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/

MariaDB upstream bug and commit:

https://jira.mariadb.org/browse/MDEV-23884
https://github.com/MariaDB/server/commit/418850b2df

MariaDB corrected this issue in versions 10.1.47, 10.2.34, 10.3.25, 10.4.15, and 10.5.6.

Comment 4 Tomas Hoger 2020-11-06 10:44:48 UTC
Galera Cluster upstream announcement and the fix for mysql-wsrep part of the Galera Cluster:

https://galeracluster.com/2020/10/galera-cluster-for-mysql-5-6-49-5-7-31-and-8-0-21-released/
https://github.com/codership/mysql-wsrep/commit/4ea4b0c6a318209ac09b15aaa906c7b4a13b988c

Comment 6 Todd Cullum 2020-11-06 20:10:10 UTC
Flaw summary:

Due to insufficient input sanitization, the mysql-wsrep component of Galera Cluster is vulnerable to command injection in the `wsrep_sst_method` field, which specifies the State Snapshot Transfer method[1]. The contents of `wsrep_sst_method` later get passed to pthread_create() as arguments. This allows for remote command injection across Galera Cluster nodes (joiner -> donor and locally to joiner) when a new node joins the cluster. The patch introduces several routines and uses them in `wsrep_sst_donate_cb()` that check the `wsrep_sst_method` for valid input, and error otherwise.

1. https://mariadb.com/kb/en/introduction-to-state-snapshot-transfers-ssts/

Comment 8 Todd Cullum 2020-11-06 22:28:41 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 9 Todd Cullum 2020-11-09 19:09:02 UTC
Statement:

galera packages as shipped with Red Hat Enterprise Linux and Red Hat Software Collections are not affected because they do not contain the vulnerable mysql-wsrep component.

Comment 15 errata-xmlrpc 2020-11-30 13:45:11 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5246 https://access.redhat.com/errata/RHSA-2020:5246

Comment 16 Product Security DevOps Team 2020-11-30 17:34:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15180

Comment 17 errata-xmlrpc 2020-12-08 14:59:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:5379 https://access.redhat.com/errata/RHSA-2020:5379

Comment 18 errata-xmlrpc 2020-12-15 17:10:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5500 https://access.redhat.com/errata/RHSA-2020:5500

Comment 19 errata-xmlrpc 2020-12-22 09:02:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5654 https://access.redhat.com/errata/RHSA-2020:5654

Comment 20 errata-xmlrpc 2020-12-22 09:25:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5663 https://access.redhat.com/errata/RHSA-2020:5663

Comment 21 errata-xmlrpc 2020-12-22 09:26:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:5665 https://access.redhat.com/errata/RHSA-2020:5665


Note You need to log in before you can comment on or make changes to this bug.