A malicious party with access to the WSREP service port (4567/TCP) as well as prerequisite knowledge of the configuration of the Galera cluster name is required in order to exploit this vulnerability, which leads to remote code execution via the WSREP protocol.
Created galera tracking bugs for this issue: Affects: epel-7 [bug 1894933] Affects: fedora-all [bug 1894932] Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1894931] Created mariadb:10.3/galera tracking bugs for this issue: Affects: fedora-all [bug 1894935] Created mariadb:10.3/mariadb tracking bugs for this issue: Affects: fedora-all [bug 1894934] Created mariadb:10.4/galera tracking bugs for this issue: Affects: fedora-all [bug 1894937] Created mariadb:10.4/mariadb tracking bugs for this issue: Affects: fedora-all [bug 1894936]
The information included in comment 0 was quoted from the Percona blog post: https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/ MariaDB upstream bug and commit: https://jira.mariadb.org/browse/MDEV-23884 https://github.com/MariaDB/server/commit/418850b2df MariaDB corrected this issue in versions 10.1.47, 10.2.34, 10.3.25, 10.4.15, and 10.5.6.
Percona XtraDB Cluster upstream bug (which remains non-public) and commits: https://jira.percona.com/browse/PXC-3392 https://github.com/percona/percona-xtradb-cluster/commit/8a338477c9184dd0e03a5c661e9c3a79456de8a4 https://github.com/percona/percona-xtradb-cluster/commit/e9c63ff4bd34404fd3fde6802013ffeac950c0d1
Galera Cluster upstream announcement and the fix for mysql-wsrep part of the Galera Cluster: https://galeracluster.com/2020/10/galera-cluster-for-mysql-5-6-49-5-7-31-and-8-0-21-released/ https://github.com/codership/mysql-wsrep/commit/4ea4b0c6a318209ac09b15aaa906c7b4a13b988c
Flaw summary: Due to insufficient input sanitization, the mysql-wsrep component of Galera Cluster is vulnerable to command injection in the `wsrep_sst_method` field, which specifies the State Snapshot Transfer method[1]. The contents of `wsrep_sst_method` later get passed to pthread_create() as arguments. This allows for remote command injection across Galera Cluster nodes (joiner -> donor and locally to joiner) when a new node joins the cluster. The patch introduces several routines and uses them in `wsrep_sst_donate_cb()` that check the `wsrep_sst_method` for valid input, and error otherwise. 1. https://mariadb.com/kb/en/introduction-to-state-snapshot-transfers-ssts/
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Statement: galera packages as shipped with Red Hat Enterprise Linux and Red Hat Software Collections are not affected because they do not contain the vulnerable mysql-wsrep component.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5246 https://access.redhat.com/errata/RHSA-2020:5246
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15180
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2020:5379 https://access.redhat.com/errata/RHSA-2020:5379
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5500 https://access.redhat.com/errata/RHSA-2020:5500
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5654 https://access.redhat.com/errata/RHSA-2020:5654
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5663 https://access.redhat.com/errata/RHSA-2020:5663
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:5665 https://access.redhat.com/errata/RHSA-2020:5665