Bug 1940909 (CVE-2021-27928) - CVE-2021-27928 mariadb: writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user
Summary: CVE-2021-27928 mariadb: writable system variables allows a database user with...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-27928
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1940911 1940912 1940913 1940914 1941387 1941417 1941418 1941419 1941420 1941421 1941423 1941424 1941425 1941426 1941427 1941428 1941429 1941430 1941431 1941501
Blocks: 1940915
TreeView+ depends on / blocked
 
Reported: 2021-03-19 14:28 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:14 UTC (History)
21 users (show)

Fixed In Version: mariadb 10.2.37, mariadb 10.3.28, mariadb 10.4.18, mariadb 10.5.9
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in mariadb and in the mysql wsrep patch that allows remote code execution. A user with SUPER privileges could execute arbitrary shell commands in the context of the mariadb server process.
Clone Of:
Environment:
Last Closed: 2021-03-30 17:35:09 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-19 14:28:33 UTC 
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.

Reference:
https://jira.mariadb.org/browse/MDEV-25179
Comment 1 Guilherme de Almeida Suckevicz 2021-03-19 14:30:02 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940911]


Created mariadb:10.3/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940912]


Created mariadb:10.4/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940913]


Created mariadb:10.5/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1940914]
Comment 2 Summer Long 2021-03-22 01:13:55 UTC 
External References:

https://mariadb.com/kb/en/mariadb-10237-release-notes/
https://mariadb.com/kb/en/mariadb-10328-release-notes/
https://mariadb.com/kb/en/mariadb-10418-release-notes/
https://mariadb.com/kb/en/mariadb-1059-release-notes/
Comment 3 Summer Long 2021-03-22 01:25:05 UTC 
Not verified, but looks like the upstream commit for 10.5.9 is: 
https://github.com/MariaDB/server/commit/ce3a2a688db556d8d077a409fd9bf5cc013d13dd
Comment 8 Doran Moppert 2021-03-22 06:16:37 UTC 
Mitigation:

Only users that have the SUPER privilege can exploit this flaw.  To reduce your exposure, ensure user accounts with the SUPER privilege are protected with strong credentials, only allowed to connect locally and not shared with untrusted parties.
Comment 12 errata-xmlrpc 2021-03-30 14:14:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2021:1039 https://access.redhat.com/errata/RHSA-2021:1039
Comment 13 Product Security DevOps Team 2021-03-30 17:35:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27928
Comment 16 errata-xmlrpc 2021-04-19 10:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:1241 https://access.redhat.com/errata/RHSA-2021:1241
Comment 17 errata-xmlrpc 2021-04-19 10:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1242 https://access.redhat.com/errata/RHSA-2021:1242
Comment 18 errata-xmlrpc 2021-04-19 10:46:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1240 https://access.redhat.com/errata/RHSA-2021:1240
Comment 19 errata-xmlrpc 2021-05-19 09:47:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2040 https://access.redhat.com/errata/RHSA-2021:2040
Note You need to log in before you can comment on or make changes to this bug.