[MDEV-25179] wsrep_provider and wsrep_notify_cmd system variables are writable - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.2.37, 10.3.28, 10.4.18, 10.5.9
Component/s: wsrep
Labels:
None

Description

System variables wsrep_provider and wsrep_notify_cmd system can be modified at run time by a database user with SUPER privileges.

The first variable takes a path to the .so library that the server will try to dlopen(). The second takes a path to the shell script that the server will execute. Having them writable allows a database user with SUPER privilege to execute arbitrary code as the system mysql user.

It seems that there is little (or no) practical use case for having these variables being modified at run-time, it's only ever used in tests. That is making them read-only would be an easy and safe fix for the above issues, at the cost of slightly more complex test scripts.

Attachments

Issue Links

links to

CVE-2021-27928

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2021-03-17 16:52

Updated:: 2021-03-17 16:56

Resolved:: 2021-03-17 16:52

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.