1894919 – (CVE-2020-15180) CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep

Bug 1894919 (CVE-2020-15180) - CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep

Summary: CVE-2020-15180 mariadb: Insufficient SST method name check leading to code in...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-15180
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1894931 1894932 1894933 1894934 1894935 1894936 1894937 1895500 1895501 1895502 1895503 1895504 1895505 1895506 1896932
Blocks:	1894925
TreeView+	depends on / blocked

Reported:	2020-11-05 12:38 UTC by Michael Kaplan
Modified:	2021-09-22 19:28 UTC (History)
CC List:	20 users (show)
Fixed In Version:	mariadb 10.1.47, mariadb 10.2.34, mariadb 10.3.25, mariadb 10.4.15, mariadb 10.5.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:	2020-11-30 17:34:09 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:5318	None	None	None	2020-12-02 11:08:15 UTC
Red Hat Product Errata	RHBA-2021:0025	None	None	None	2021-01-05 14:20:58 UTC
Red Hat Product Errata	RHSA-2020:5246	None	None	None	2020-11-30 13:45:13 UTC
Red Hat Product Errata	RHSA-2020:5379	None	None	None	2020-12-08 14:59:09 UTC
Red Hat Product Errata	RHSA-2020:5500	None	None	None	2020-12-15 17:10:48 UTC
Red Hat Product Errata	RHSA-2020:5654	None	None	None	2020-12-22 09:02:18 UTC
Red Hat Product Errata	RHSA-2020:5663	None	None	None	2020-12-22 09:25:20 UTC
Red Hat Product Errata	RHSA-2020:5665	None	None	None	2020-12-22 09:26:34 UTC

Description Michael Kaplan 2020-11-05 12:38:44 UTC

A malicious party with access to the WSREP service port (4567/TCP) as well as prerequisite knowledge of the configuration of the Galera cluster name is required in order to exploit this vulnerability, which leads to remote code execution via the WSREP protocol.

Comment 1 Michael Kaplan 2020-11-05 13:09:21 UTC

Created galera tracking bugs for this issue:

Affects: epel-7 [bug 1894933]
Affects: fedora-all [bug 1894932]


Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1894931]


Created mariadb:10.3/galera tracking bugs for this issue:

Affects: fedora-all [bug 1894935]


Created mariadb:10.3/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1894934]


Created mariadb:10.4/galera tracking bugs for this issue:

Affects: fedora-all [bug 1894937]


Created mariadb:10.4/mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1894936]

Comment 2 Tomas Hoger 2020-11-06 09:12:26 UTC

The information included in comment 0 was quoted from the Percona blog post:

https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/

MariaDB upstream bug and commit:

https://jira.mariadb.org/browse/MDEV-23884
https://github.com/MariaDB/server/commit/418850b2df

MariaDB corrected this issue in versions 10.1.47, 10.2.34, 10.3.25, 10.4.15, and 10.5.6.

Comment 3 Tomas Hoger 2020-11-06 10:36:24 UTC

Percona XtraDB Cluster upstream bug (which remains non-public) and commits:

https://jira.percona.com/browse/PXC-3392
https://github.com/percona/percona-xtradb-cluster/commit/8a338477c9184dd0e03a5c661e9c3a79456de8a4
https://github.com/percona/percona-xtradb-cluster/commit/e9c63ff4bd34404fd3fde6802013ffeac950c0d1

Comment 4 Tomas Hoger 2020-11-06 10:44:48 UTC

Galera Cluster upstream announcement and the fix for mysql-wsrep part of the Galera Cluster:

https://galeracluster.com/2020/10/galera-cluster-for-mysql-5-6-49-5-7-31-and-8-0-21-released/
https://github.com/codership/mysql-wsrep/commit/4ea4b0c6a318209ac09b15aaa906c7b4a13b988c

Comment 6 Todd Cullum 2020-11-06 20:10:10 UTC

Flaw summary:

Due to insufficient input sanitization, the mysql-wsrep component of Galera Cluster is vulnerable to command injection in the `wsrep_sst_method` field, which specifies the State Snapshot Transfer method[1]. The contents of `wsrep_sst_method` later get passed to pthread_create() as arguments. This allows for remote command injection across Galera Cluster nodes (joiner -> donor and locally to joiner) when a new node joins the cluster. The patch introduces several routines and uses them in `wsrep_sst_donate_cb()` that check the `wsrep_sst_method` for valid input, and error otherwise.

1. https://mariadb.com/kb/en/introduction-to-state-snapshot-transfers-ssts/

Comment 8 Todd Cullum 2020-11-06 22:28:41 UTC

Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 9 Todd Cullum 2020-11-09 19:09:02 UTC

Statement:

galera packages as shipped with Red Hat Enterprise Linux and Red Hat Software Collections are not affected because they do not contain the vulnerable mysql-wsrep component.

Comment 15 errata-xmlrpc 2020-11-30 13:45:11 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5246 https://access.redhat.com/errata/RHSA-2020:5246

Comment 16 Product Security DevOps Team 2020-11-30 17:34:09 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15180

Comment 17 errata-xmlrpc 2020-12-08 14:59:08 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:5379 https://access.redhat.com/errata/RHSA-2020:5379

Comment 18 errata-xmlrpc 2020-12-15 17:10:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5500 https://access.redhat.com/errata/RHSA-2020:5500

Comment 19 errata-xmlrpc 2020-12-22 09:02:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5654 https://access.redhat.com/errata/RHSA-2020:5654

Comment 20 errata-xmlrpc 2020-12-22 09:25:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5663 https://access.redhat.com/errata/RHSA-2020:5663

Comment 21 errata-xmlrpc 2020-12-22 09:26:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:5665 https://access.redhat.com/errata/RHSA-2020:5665

Note You need to log in before you can comment on or make changes to this bug.

damien.ciabrini
databases-maint
dbecker
dciabrin
fdinitto
hhorak
jjoyce
jorton
jschluet
lhh
ljavorsk
lpeer
mbayer
mburns
mkocka
mmuzila
mschorm
sclewis
slinaber
SpikeFedora