Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Transition key was hardcoded

Description

There is a bug in SST script. It generates random key and put in to

$transition_key

variable.

But when SST script does backup it encloses $transition_key variable in single quotes
Here is example from SST trace log

/usr/bin/pxc_extra/pxb-8.0/bin/xtrabackup --defaults-file=/etc/my.cnf --defaults-group=mysqld --parallel=4 --user=mysql.pxc.sst.user --password=wtft8ze7nSV9BbC0yBv1h68g1bwos9op --socket=/tmp/mysql.sock --lock-ddl --backup --galera-info --binlog-info=ON *'--transition-key=$transition_key' *--stream=xbstream --xtrabackup-plugin-dir=/usr/bin/pxc_extra/pxb-8.0/lib/plugin --target-dir=/tmp/pxc_sst_4v5T/donor_xb_XgCu

Single quotes do not interpolate anything, get variable literal value (and lose its meaning). So transition key always equal to string "$transition_key". So we have hardcoded transition key for every backup which SST script does.

The right way is to enclose $transition_key variable to double quotes to get it real value (randomly generated transition key).

problematic code line https://github.com/percona/percona-xtradb-cluster/blob/8.0/scripts/wsrep_sst_xtrabackup-v2.sh#L1826

Environment

None

Smart Checklist

Activity

KennT April 8, 2020 at 5:23 AM

Also, an SST with an encrypted table will fail if sent to a downlevel node,

5.7.28  -> 5.7.28.2 will work

5.7.28.2 -> 5.7.28 will not work

 

KennT April 2, 2020 at 5:42 AM

Will need to know how we will be releasing 5.7 so that I can implement version checking (5.7.28.2?)

David Busby March 30, 2020 at 10:06 AM

CVE-2020-10996 is the CVE reference for this issue.

Mykola Marzhan March 27, 2020 at 8:48 AM

Zsolt Parragi March 27, 2020 at 7:40 AM

So we have hardcoded transition key for every backup which SST script does.

In normal use, when SST is used for creating/recreating nodes, this isn't an issue, as the data itself is transmitted using SSL, and deleted immediately after restoring. During this transfer time, the backup and the transition key is both written to the same place in the filesystem, if somebody has access to the data at this point, he can decrypt it anyway.

This only effects when SST is used to create a backup with garbd, when every backup taken so far uses the same transition key.

For 5.7 the operator also doesn't have encryption support built in, which means that it only affects existing users that have some custom setup with encryption enabled.

Done

Details

Assignee

Reporter

Labels

Time tracking

5h 5m logged

Fix versions

Affects versions

Priority

Smart Checklist

Created March 27, 2020 at 7:10 AM
Updated March 6, 2024 at 9:40 PM
Resolved April 29, 2020 at 1:15 PM

Flag notifications