CVE-2021-46149: ⚓ T293749 /w/api.php?action=languagesearch denial of service (CVE-2021-46149)

**

/w/api.php?action=languagesearch denial of service (CVE-2021-46149)

Closed, ResolvedPublicSecurity

**

• Edit Task

• Edit Related Tasks…

• Edit Related Objects…

• Mute Notifications

• Protect as security issue

• Award Token

• Flag For Later

While browsing Language team dashboard in Logstash, I came across a bunch of timeouts from the language search API:

/w/api.php?action=languagesearch&format=json&origin=*&search=teuoyuepuuoiuuuuouuuiqpitouppotuouqtropuuyuyroopepupyotutqiuiuuuooqquypyouopptoiooupipyoouououuptyppuouuouytpeuouuuoiuoriupuouppuquupoiyrpuooypuupuopootpoieppppyrutpptptpiuqerppyuqrpupwoeuppuopouuoupuuuoouupuopupptuupootouuouuqouoeouuurpoowuquooyuuytppepriiuttupuetopuutuppuoppupoupuopouiuopupppuuteupiuuyuputiyootorqyoueeuuuuyptpuuuuyioiyuteupuypuoropqupuuorpputopouuuuttoiputyootooooyuuyuoqupytuoqpoooootuouuuoiouyppuwouyououuptrotuuupetyiiueuuoyuqyrquiouuqtuuouiyouoiupuoopeqtoueoeuopuuproouuoyupupouuttuuurutopuopotuuyuuyprpyureoieopuppouooooooyutyoouuiyqypyuruutiuouuutywuutuuuuiiuuropyuutuyuiuiuyupurioruypupiioitpppuqruyoooyopuouuiouuueuyiuppuuptppouuuepuyttuquuppuotuyutuoupppriupuquputuetypupooouueupuuporuouupurupueoupyiyurpuyuuooyytuuouyuupuouoqpupyuuoeioqoyuyuoupupupooopuyuoyuupouuppoooppoiipueuuruiouurouyupupouuouupqoyruqiuouoqtwteuoouupuuppuoqyuepopoupuueououurupuprppoptoupyuqepuouqttepioyuuuuurputoopttppyiyioiyuoriuuootuupuuyppuuuyyupoyiuuuuupuuouuquppiuyuyypeppptppipioutoieupytuwuuutoupuopuirtuuuuuoouuutoptpiuuuuiotyuuiutuuuoupopioitpurpopouputpuuoippuuyopitptouuuopiorutoitopputuqyuptiotipopouuooeiuuuouttuoiuuqppoottqioouuouuyipueuuouppruuprupewuiypuporoqupuyiiopoouuoputuoeyuoyyoppououutuwrooetuyoyyuouupiuuuuuuuruyutoiiuquypouopuuioyiuouituoppootyytuqypoupuiuuuuoupyoyuptooeuupuuuquuuuqiuprpuyiuuuuopottuppppiptuqypupypuopuwiuutpytuuyoouupuquouuyuoyuputyqrupuooutouuupuptuiiruqupoutpooupuopuprtuooouupuoooipipupoopruupuyppuequouryuuoptoouoouuowuouyuouuupoyeyrouoouuouuuoupuqupiupioupoptupuououououueueyoyoeuutepuypppouuuupiouuperpupuyuuytuouooqttuoutuppouuoiuutooopoeoootuquuuptrtoueepuyuouyuuitppiottupyeruppyooueuqqurqooituutupyuuuipyoouyuuyuutpryyouquooyuuuuptutuupppptqeutioqtotuyuqipuoyuyyquutwpuuuuqoupyooopouippoyutoupttprptripiurooopiuipootopeupyuuryueuuppuuuuuuoptppiuupiouuoupprpyorytiyopttuippptitortpooyeuooyppuuoiutuuyouuppuruuouuuputpiuuuupouuuuuyppiuiyuuuuyiuiupruupuuouyruoutuouoyuuueipoouuuuuuppppptitituuittuewpouiipppupyoytuiuioyuuuyopuyuruputruyuuuqyypuyoyuuyuopyuorupuoyuruuuppytpppiuuutuotoytuiquwpitytuuooopyoupeuuuyuuuuieyteippouuooutpuyoyuyupuiutpuuppuutytutputurptupuurptoyuuoputuuoquopoupyouutoupuioutuuuuuuopuuypueouiuuopuppyuuyyoetouurppuouuyupuuupuytoqupupuuytypopuitoyuupoouyuypyuuiryoeptououupouuiuopuuuiyopupyuruquppyupuuuuoupoupuuquiouriuuputppuiyuutuuyppiroouuoouoipuuoputuptioprpututouiuueopppuuqpypuupotuuutyoupuuptpuupyyouuwurutpotuytuuotipuuupueouopqppeotuurueippuurptpoyupuuoyeiiuuurouqippwoppurutuuuupututipiuuuouupououpqpipiopuyoupyuuuirpoupyuututrueouryuputqiuyyouttiutoeuuopuuuutqpouoyptuupotueyuuopptqouuuuiutieuoipttpoouuprouotwtuuuiyqeuuuotupiutuyruuyyyyouiruittuouuuyppoyyupeupuupuotuuppppuuoiuuouuooyruuuuuuuprtpttuuppuuupiuutiutooppuoyouopiuttropyuypouyyqoipupoupuuoqutpouuiqrrouuupptpupoppoyuyuuorutrpuyypuyopouuupuuoquuuuuutyopuupuouyeueotyupuuuieuuuyooiyuruoiupyiqpupuptyuypuryppoyuruuoorpooyuuuotpuuuuuiiiuutytupppoyopyuurupuyyupupppwuouipuyuyytwroioiuueyopyutoopupuepipououpttououoquupitrwuppupupuyoyouyputopuioioupptuouyeuouuouoiituutproupoppuupuyupuuupuipoyuoruypipuuuuoiouuiouorooyuououtouuuowuiootuutyuuqupuupyppyouyrquoqyqputouuoitooyriuruupywtouuiutuouuuttipyypouuputuuopetouoeiuuuurrqopuppyuyuuupiuoutopppppuypupututuutouypopyepuoooiupitytpptupyqirtuoruuwpuoooououeoruyouwuuqoupuuritutuuipuppuupitppppppirouypuoiuoqoopuuouuuuuuttuypuuoppputituutootpuupyuptyiotoooutqyupuuuuouitouwpotyuoiuyutptpoeoipuuuyruoouuioutuuippuoupptuupyuypoputyyuptupuyoyuuouypypopowoprpoppuprppuputopppupyypuupooeruyiouyopuyuuptuttuiquptyuupotopiuouuottouotpuuoutopqouuouopupoiypyoqouuyupoyppyopiquuippiuyyoitoiuuutyuuoqypwyppooopuouooiopppopuuyruytupopprroupirqtiotuuquowuuqtituiiqpouuppyuu&formatversion=2

from /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(97) #0 /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(72): Wikimedia\RequestTimeout\Detail\ExcimerTimerWrapper->onTimeout(integer) #1 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(187): Wikimedia\RequestTimeout\Detail\ExcimerTimerWrapper->Wikimedia\RequestTimeout\Detail\{closure}(integer) #2 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(179): LanguageNameSearch::levenshteinDistance(string, string) #3 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(103): LanguageNameSearch::levenshteinDistance(string, string) #4 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(70): LanguageNameSearch::matchNames(string, string, integer) #5 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/includes/api/ApiLanguageSearch.php(29): LanguageNameSearch::search(string, integer, string) #6 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(1878): ApiLanguageSearch->execute() #7 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(857): ApiMain->executeAction() #8 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(828): ApiMain->executeActionWithErrorHandling() #9 /srv/mediawiki/php-1.38.0-wmf.4/api.php(90): ApiMain->execute() #10 /srv/mediawiki/php-1.38.0-wmf.4/api.php(45): wfApiMain() #11 /srv/mediawiki/w/api.php(3): require(string) #12 {main}

More specifically, there were 1757 such requests on viwiki on 2021-10-17, which was clearly intentional dos attempt.

Author Affiliation

WMF Product

• Task Graph
• Mentions

Event Timeline

Comment Actions

Doing some quick stats, longest language name is 154 bytes or 76 “mb_strlen” characters long. But it’s questionable whether doing a typo match at that long search query is useful. I propose we skip fuzzy search when mb_strlen value is longer than say 25, or at most 76 if we want to avoid any user impact.

Comment Actions

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week’s train and will included in our next MLEB release this week.

It should also be backported to supported release branches, I think.

Comment Actions

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week’s train and will included in our next MLEB release this week.

Well, we’re probably close enough to the train cut that the gerrit patch can just go along with that and roll out this week. The commit message was fairly benign, so the only hint that this is a security issue is the linked private bug and the patch itself. ULS isn’t bundled so there’s no issue with the upcoming security release there, as this would just be included within the supplemental announcement, which often includes several already-public security issues. Anyhow, the Security-Team will chat about this today during our clinic and see if we have any additional guidance to provide.

It should also be backported to supported release branches, I think.

Yes, it should. The Security-Team can start those picks.

Reedy closed this task as Resolved.Dec 10 2021, 8:20 PM

mmartorana renamed this task from /w/api.php?action=languagesearch denial of service to /w/api.php?action=languagesearch denial of service (CVE-2021-46149).Mon, Jan 10, 5:03 PM

Comment Actions

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week’s train and will included in our next MLEB release this week.

It should also be backported to supported release branches, I think.

In other words: If people are either using MLEB 2021.10, 2021.11 or preferably 2021.12 they are cool?!

Comment Actions

Cool, thanks for confirming. Thanks also for the tip. Never noticed this one.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL