FEDORA-EPEL-2018-1698223c96

security update in Fedora EPEL 7 for mysql-mmm

Status: stable a year ago

Multi-Master Replication Manager for MySQL mmm_agentd Remote Command Injection Vulnerabilities

This update adds data sanitization to inputs for the mmm agent.

Multiple exploitable remote command injection vulnerabilities exist in the MySQL Master-Master Replication Manager (MMM) mmm_agentd daemon 2.2.1. mmm_agentd commonly runs with root privileges and does not require authentication by default. A specially crafted MMM protocol message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm_agentd process. An attacker that can initiate a TCP session with mmm_agentd can trigger these vulnerabilities.

The impact of these vulnerabilities can be lessened by configuring mmm_agentd to require TLS mutual authentication and by using network ACLs to prevent hosts other than legitimate mmm_mond hosts from accessing mmm_agentd.

For example on Linux iptables rules can be used to block access to the port mmm_agent is listening on from all hosts except the mmm_monitor.

The configuration of ssl can be used where firewall rules are not practical. See Socket Documentation http://mysql-mmm.org/mysql-mmm.html#SEC58

Add to mmm_common.conf

<socket>
    type ssl
    cert_file /etc/ssl/certs/www.example.com.bundle.crt
    key_file /etc/ssl/certs/www.example.com.key
    ca_file /etc/ssl/certs/ca-bundle.crt # or ca-certificates.crt
</socket>

Now only those with access to the private key can send commands. Whilst your web server certificate will do the job, you may consider registering a dedicated certificate just for this task.

NOTE: By now there are a some good alternatives to MySQL-MMM. Maybe you want to check out Galera Cluster which is part of MariaDB Galera Cluster and Percona XtraDB Cluster.

How to install

sudo dnf upgrade --advisory=FEDORA-EPEL-2018-1698223c96

Comments 6

This update has been submitted for testing by bevhost.

This update has been pushed to testing.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for batched by bevhost.

This update has been submitted for stable by bevhost.

This update has been pushed to stable.


Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown. Comments are governed under this privacy policy.

-1 0 +1 Feedback Guidelines

Is the update generally functional? (karma)

You need to be logged in to add karma!

#1575161 Invalid bug number
Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush
Enabled
Dates
submitted a year ago
in testing a year ago
in stable a year ago

Related Bugs 1

00 #1575161 Invalid bug number

Automated Test Results