Bug 1524234 (CVE-2017-15365) - CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks
Summary: CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs befor...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15365
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1524767 1524235 1527365 1558264 1558265 1701268
Blocks: 1523473
TreeView+ depends on / blocked
 
Reported: 2017-12-11 01:56 UTC by Sam Fowler
Modified: 2021-02-25 15:55 UTC (History)
23 users (show)

Fixed In Version: mariadb 10.2.10, mariadb 10.1.30
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that MariaDB could replicate certain data definition language (DDL) commands to other cluster nodes despite an access control check failure. A user with an SQL access to the server could possibly use this flaw to perform database modification on certain cluster nodes without having privileges to perform such changes.
Clone Of:
Environment:
Last Closed: 2019-05-21 21:02:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1258 0 None None None 2019-05-21 19:54:32 UTC

Description Sam Fowler 2017-12-11 01:56:19 UTC 
MariaDB have noted in their release notes that reserved CVE-2017-15365 has been fixed in version 10.2.10[1], however they have not described how or what the vulnerability was. This CVE is also mentioned to affect Percona[2] with the fix is described as:

"Added access checks for DDL commands to make sure they do not get replicated if they failed without proper permissions"

A comparison with the MariaDB 10.2.10 changelog[3] and Percona description finds this commit[4], which seems a likely candidate for both describing and fixing the vulnerability.
The vulnerable code block in sql/event_data_objects.cc is also present in version 10.1, suggesting that it is also affected.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
[1] https://mariadb.com/kb/en/library/mariadb-10210-release-notes/
[2] https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html
[3] https://mariadb.com/kb/en/library/mariadb-10210-changelog/
[4] https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e
Comment 1 Sam Fowler 2017-12-11 01:57:06 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1524235]
Comment 2 Sam Fowler 2017-12-12 01:50:04 UTC 
Created mariadb tracking bugs for this issue:

Affects: openstack-rdo [bug 1524767]
Comment 5 Michal Schorm 2018-02-08 03:36:52 UTC 
Hi, upstream says on https://mariadb.com/kb/en/library/security/ that the issue has been fixed in both MariaDB 10.2.10, MariaDB 10.1.30.

There are no older versions present in Fedora.
Can I just close the Fedora bug, or do we need more complicate fix on downstream side?
Comment 6 Michal Schorm 2018-02-08 03:39:12 UTC 
Yeah, I'm so blind I can't even read my own notes.

The Fedora bug was left open till 10.2.10 released in F27.
I had long long troubles releasing that (and 10.2.12) update, and I forgot to add it to it as solved.
Comment 8 errata-xmlrpc 2019-05-21 19:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1258 https://access.redhat.com/errata/RHSA-2019:1258
Note You need to log in before you can comment on or make changes to this bug.