====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN173
_____________________________________________________________________

DATE                : 24/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running MariaDB Server versions prior to
                           10.2.37, 10.3.28, 10.4.18, 10.5.9.

=====================================================================
https://jira.mariadb.org/browse/MDEV-25179
_____________________________________________________________________

Details

    Type:                Bug
    Status:              Closed (View Workflow)
    Priority:            Blocker
    Resolution:          Fixed
    Affects Version/s:   10.2, 10.3, 10.4, 10.5
    Fix Version/s:       10.2.37, 10.3.28, 10.4.18, 10.5.9
    Component/s:         wsrep
    Labels:              None


Description

System variables wsrep_provider and wsrep_notify_cmd system can be
modified at run time by a database user with SUPER privileges.

The first variable takes a path to the .so library that the server will
try to dlopen(). The second takes a path to the shell script that the
server will execute. Having them writable allows a database user with
SUPER privilege to execute arbitrary code as the system mysql user.

It seems that there is little (or no) practical use case for having
these variables being modified at run-time, it's only ever used in
tests. That is making them read-only would be an easy and safe fix for
the above issues, at the cost of slightly more complex test scripts.


Issue Links

links to

    Web Link CVE-2021-27928


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================