Author - David Busby

CVE-2020-15180 – Affects Percona XtraDB Cluster

CVE-2020-15180

Galera replication technology, a key component of Percona XtraDB Cluster, suffered from a remote code execution vulnerability. Percona has been working with the vendor since early September on this issue and has made releases available to address the problem.
Applicability
A malicious party with access to the WSREP service port (4567/TCP) as well as prerequisite knowledge […]

Read more

CVE-2020-26542: SimpleLDAP Authentication in Percona Server for MySQL, Percona Server for MongoDB

CVE-2020-26542

CVE-2020-26542
When using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account.
Applicability
Percona Server for […]

Read more

CVE-2020-10996 – Percona XtraDB Cluster SST script static key

CVE-2020-10996
 
Percona XtraDB Cluster versions greater than 5.7.22-29.26 and less than 5.7.28-31.42.1 contained a script that handled SST transfers to nodes, this was inadvertently set to a static value due to an error in the bash script handling this process.
 
Applicability
Time based access to SST files is required in order to exploit this error, as sst […]

Read more

CVE-2020-10997 – Percona XtraBackup information disclosure of command line arguments

CVE-2020-10997
 
Percona XtraDB backup >= 2.4.11 suffers an issue whereby the whole command line is captured and output to resulting backup file location, and where –history command line argument is passed this too is captured within the PERCONA_SCHEMA.xtrabackup_history table. In addition to the information being present within the process list and standard error output.
This issue […]

Read more

Incident Involving Percona Forums on September 24, 2019

Summary
On September 24, 2019, Percona’s IT and IT Security teams were made aware of a denial of service attack on www.percona.com/forums. We use vBulletin to host Percona Forums, which was subjected to a zero-day pre-authentication remote code execution. This vulnerability potentially allows an unauthenticated attacker to remotely execute code on, or possibly complete control […]

Read more