Bug 919298 (CVE-2015-1027)

Summary: VUL-0: CVE-2015-1027: xtrabackup, percona-toolkit: MITM vulnerability via version check
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Andreas Stieger <astieger>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.2   
URL: https://bugs.launchpad.net/percona-xtrabackup/+bug/1408375
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-02-24 16:01:48 UTC 
http://www.percona.com/blog/2015/02/17/percona-xtrabackup-2-2-9-now-available/

> Percona XtraBackup was vulnerable to MITM attack which could allow exfiltration of MySQL configuration information via --version-check option. This vulnerability was logged as CVE-2015-1027.

https://bugs.launchpad.net/percona-xtrabackup/+bug/1408375

The effect is mitigated a bit because with some foresight, the openSUSE package was patched to not perform the automatic version check, see bug 864194 (CVE-2014-2029).

https://build.opensuse.org/package/view_file/server:database/xtrabackup/percona-xtrabackup-2.2.x-disable-default-version-check.patch?expand=1

However as a version check may still be requested through configuration or command line switch, an update is neccessary.

Current versions:
openSUSE 13.1: 2.1.8
openSUSE 13.2: 2.2.4
server:database: 2.2.8

Not released in SLE.
Comment 1 Andreas Stieger 2015-02-24 16:06:53 UTC 
This was also fixed in percona-toolkit 2.2.13, which should also go to the update repository:

>   * Fixed lp#1408375: vulnerable to MITM attack which would allow
>                       exfiltration of MySQL configuration
>                       information via --version-check
Comment 2 Swamp Workflow Management 2015-02-24 23:01:00 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2015-02-25 09:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (919298) was mentioned in
https://build.opensuse.org/request/show/287669 Factory / xtrabackup
Comment 4 Bernhard Wiedemann 2015-02-27 09:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (919298) was mentioned in
https://build.opensuse.org/request/show/288038 13.2+13.1 / xtrabackup+percona-toolkit
Comment 5 Andreas Stieger 2015-03-11 11:08:26 UTC 
released
Comment 6 Swamp Workflow Management 2015-03-11 12:05:09 UTC 
openSUSE-SU-2015:0472-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 919298
CVE References: CVE-2015-1027
Sources used:
openSUSE 13.2 (src):    percona-toolkit-2.2.13-4.1, xtrabackup-2.2.9-4.1
openSUSE 13.1 (src):    percona-toolkit-2.2.13-2.14.1, xtrabackup-2.1.8-25.1
Comment 7 Andreas Stieger 2015-05-06 15:05:56 UTC 
Better late than never, upstream advisory:
https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/