CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
68.1%
CVE-2016-6653 MySQL Audit logs sent to Syslog
High
Cloud Foundry Foundation
MariaDB’s audit_plugin
, incorporated in cf-mysql-release starting with cf-mysql-release v27, allows the Operator to enable audit trails, which log all queries sent to the SQL server. With the incorporation of this plugin, a bug was introduced that causes those logs to be sent to syslog. Depending on the nature of the applications that use cf-mysql, these audit logs may contain Personally Identifiable Information (PII) of application users, including unencrypted application access credentials and any application-specific data written to the database.
The audit_plugin
automatically redacts credentials in MySQL user creation. MySQL server access credentials are not sent to syslog.
Note: The property, cf_mysql.mysql.server_audit_events
, which enables Audit logging is not enabled by default in the release’s spec file. The audit feature must have been manually enabled by an Operator before deploying.
OSS users are strongly encouraged to follow one of the mitigations below:
cf_mysql.mysql.server_audit_events
and re-deploying.Below are several examples of audit log events as they will appear in syslog. Scan for entries like these in order to validate that you are no longer sending audit logs to syslog.
20160926 19:55:49,9da585c7-1abc-1234-a6b2-7ee157f6ba65,root,192.0.2.11,118512,16585118,QUERY,mysql_broker,'CREATE USER 'zconN9KAQ6PwXsQC' IDENTIFIED BY *****',0
20160926 22:33:02,d27a463f-x123-1234-96f4-d0ce7b6b298e,EN0wrPpthGzaC7pU,192.0.2.11,120867,29195687,QUERY,cf_fa403c9e_1234_1234_ad0a_70d53d277dbc,'SELECT
partition_spec.* FROM
partition_specWHERE
partition_spec.
name = 'ordered' LIMIT 1',0
20160926 22:33:02,d27a463f-x123-1234-96f4-d0ce7b6b298e,dX3qqBoWRGJGZoPx,192.0.2.11,444,29195516,QUERY,cf_da07adfc_123x_1234_a934_dae104226a95,'SELECT
daemon.* FROM
daemonWHERE
daemon.
name = 'ordered_delayed_job_workers' LIMIT 1',0
This issue was discovered by the Cloud Foundry cf-mysql development team.
2016-09-29: Initial vulnerability report published
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
68.1%