Bug 919298 - (CVE-2015-1027) VUL-0: CVE-2015-1027: xtrabackup, percona-toolkit: MITM vulnerability via version check
(CVE-2015-1027)
VUL-0: CVE-2015-1027: xtrabackup, percona-toolkit: MITM vulnerability via ver...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Andreas Stieger
Security Team bot
https://bugs.launchpad.net/percona-xt...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-24 16:01 UTC by Andreas Stieger
Modified: 2015-05-06 15:05 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-02-24 16:01:48 UTC
http://www.percona.com/blog/2015/02/17/percona-xtrabackup-2-2-9-now-available/

> Percona XtraBackup was vulnerable to MITM attack which could allow exfiltration of MySQL configuration information via --version-check option. This vulnerability was logged as CVE-2015-1027.

https://bugs.launchpad.net/percona-xtrabackup/+bug/1408375

The effect is mitigated a bit because with some foresight, the openSUSE package was patched to not perform the automatic version check, see bug 864194 (CVE-2014-2029).

https://build.opensuse.org/package/view_file/server:database/xtrabackup/percona-xtrabackup-2.2.x-disable-default-version-check.patch?expand=1

However as a version check may still be requested through configuration or command line switch, an update is neccessary.

Current versions:
openSUSE 13.1: 2.1.8
openSUSE 13.2: 2.2.4
server:database: 2.2.8

Not released in SLE.
Comment 1 Andreas Stieger 2015-02-24 16:06:53 UTC
This was also fixed in percona-toolkit 2.2.13, which should also go to the update repository:

>   * Fixed lp#1408375: vulnerable to MITM attack which would allow
>                       exfiltration of MySQL configuration
>                       information via --version-check
Comment 2 Swamp Workflow Management 2015-02-24 23:01:00 UTC
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2015-02-25 09:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (919298) was mentioned in
https://build.opensuse.org/request/show/287669 Factory / xtrabackup
Comment 4 Bernhard Wiedemann 2015-02-27 09:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (919298) was mentioned in
https://build.opensuse.org/request/show/288038 13.2+13.1 / xtrabackup+percona-toolkit
Comment 5 Andreas Stieger 2015-03-11 11:08:26 UTC
released
Comment 6 Swamp Workflow Management 2015-03-11 12:05:09 UTC
openSUSE-SU-2015:0472-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 919298
CVE References: CVE-2015-1027
Sources used:
openSUSE 13.2 (src):    percona-toolkit-2.2.13-4.1, xtrabackup-2.2.9-4.1
openSUSE 13.1 (src):    percona-toolkit-2.2.13-2.14.1, xtrabackup-2.1.8-25.1
Comment 7 Andreas Stieger 2015-05-06 15:05:56 UTC
Better late than never, upstream advisory:
https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/