Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-10996: CVE-2020-10996 - Percona XtraDB Cluster SST script static key - Percona Database Performance Blog

An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected.

CVE
#sql#auth

20 Apr 2020

MySQL

Percona XtraDB Cluster versions greater than 5.7.22-29.26 and less than 5.7.28-31.42.1 contained a script that handled SST transfers to nodes, this was inadvertently set to a static value due to an error in the bash script handling this process.

****Applicability****

Time based access to SST files is required in order to exploit this error, as sst files are ephemeral in nature the window in which an attacker with access to the filesystem can exploit this issue is limited.

In addition to the enablement of innodb at-rest encryption, which is not considered a GA feature at the time of writing.

****Credits****

Percona would like to thank Pavel Kasko for discovering this issue, and working to aid resolution.

****More Information****

  • CVE-2020-10996
  • https://jira.percona.com/browse/PXC-3117

****Release notes****

  • https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.28-31.41.2.html

Author

David Busby

David is an Information Security Architect, and CISSP qualified. He has worked with Percona since 2013 and has over 17 years’ experience in DevOps, databases and security. David is a Ju-Jitsu instructor, assistant scout leader and also volunteers at a local secondary school to teach kids computing.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907