[security] CVE-2016-6653: MySQL Audit logs sent to Syslog


Travis McPeak
 

Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry MySQL Release versions 27[1] and 28[2]

Description

MariaDB’s audit_plugin, incorporated in cf-mysql-release starting with
cf-mysql-release v27, allows the Operator to enable audit trails, which log
all queries sent to the SQL server. With the incorporation of this plugin,
a bug was introduced that causes those logs to be sent to syslog. Depending
on the nature of the applications that use cf-mysql, these audit logs may
contain Personally Identifiable Information (PII) of application users,
including unencrypted application access credentials and any
application-specific data written to the database.

The audit_plugin automatically redacts credentials in MySQL user creation.
MySQL server access credentials are not sent to syslog.

Note: The property, cf_mysql.mysql.server_audit_events, which enables Audit
logging is not enabled by default in the release’s spec file
<https://github.com/cloudfoundry/cf-mysql-release/blob/v27/jobs/mysql/spec#L104>.
The audit feature must have been manually enabled by an Operator before
deploying.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Deploy cf-mysql-release v29
-

Disable audit logging by deleting the values of
cf_mysql.mysql.server_audit_events and re-deploying.
-

Decide how to best handle audit log records that have been stored by
your syslog server (implementation varies).


Examples

Below are several examples of audit log events as they will appear in
syslog. Scan for entries like these in order to validate that you are no
longer sending audit logs to syslog.

20160926 19:55:49,9da585c7-1abc-1234-a6b2-7ee157f6ba65,root,192.0.2.
11,118512,16585118,QUERY,mysql_broker,'CREATE USER \'zconN9KAQ6PwXsQC\'
IDENTIFIED BY *****',0

20160926 22:33:02,d27a463f-x123-1234-96f4-d0ce7b6b298e,EN0wrPpthGzaC7
pU,192.0.2.11,120867,29195687,QUERY,cf_fa403c9e_1234_1234_ad0a_70d53d277dbc,'SELECT
`partition_spec`.* FROM `partition_spec` WHERE `partition_spec`.`name` =
\'ordered\' LIMIT 1',0

20160926 22:33:02,d27a463f-x123-1234-96f4-d0ce7b6b298e,dX3qqBoWRGJGZo
Px,192.0.2.11,444,29195516,QUERY,cf_da07adfc_123x_1234_a934_dae104226a95,'SELECT
`daemon`.* FROM `daemon` WHERE `daemon`.`name` =
\'ordered_delayed_job_workers\' LIMIT 1',0

Credit

This issue was discovered by the Cloud Foundry cf-mysql development team.
References

-

[1] https://github.com/cloudfoundry/cf-mysql-release/releases/v27
-

[2] https://github.com/cloudfoundry/cf-mysql-release/releases/v28