A vulnerability has been discovered in all versions of Percona Monitoring and Management (PMM). There is no evidence this vulnerability has been exploited in the wild, and no customer data has been exposed.

Vulnerability details

This vulnerability stems from the way PMM handles input for MySQL services and agent actions. By abusing specific API endpoints, particularly /v1/actions:startServiceAction  with the pt-mysql-summary tool, an attacker with access to the PMM UI or API can craft malicious input that executes arbitrary system commands as root on registered nodes.

Importantly, this exploit does not require privileged user credentials. Access to the PMM API and a standard service account, as used by PMM agents, is sufficient.

What Percona has done

Today, we released PMM 3.3.1, implementing strengthened input sanitization to prevent malicious code injection via these interfaces.  If you’re a Percona Managed Services customer, Percona has applied a mitigation on your behalf and no further action is required on your part at this time.

What you should do

Upgrade to PMM 3.3.1

This release directly fixes the vulnerability and enhances overall security in all PMM deployments.

  1. Schedule a maintenance window to minimize disruption.
  2. Download the latest PMM release.
  3. Upgrade PMM Server, then upgrade PMM Client.
  4. Change all credentials for the services that PMM monitors, including database user accounts and any other credentials (e.g., API keys, SSH keys) PMM uses to connect to your infrastructure.
  5. Thoroughly check access logs for any potential unauthorized access attempts or suspicious activity.

 If you cannot upgrade immediately

If you are unable to upgrade to PMM 3.3.1 immediately, implement one of the following temporary measures to reduce risk. These options do not eliminate the vulnerability entirely. Prioritize upgrading to PMM 3.3.1 as soon as possible.

1. Choose one of the following temporary mitigation options: 

  • Make pt-mysql-summary  script non-executable to keep the system information tool on disk but prevent it from being executed via the vulnerable path:

  • Delete pt-mysql-summary  to permanently remove the vulnerable tool from your system: 

Both options impact the MySQL Instance Summary dashboard. Since pt-mysql-summary  collects system information, disabling or removing this tool will remove CPU, memory, disk, and OS version information from the dashboard. Other performance metrics continue to be collected normally.

If you are running an older PMM (2.x) on Kubernetes

Please note this vulnerability extends to users who have deployed PMM 2.x in a containerized fashion. If you are deploying PMM in Kubernetes using Percona Operators, you’ll want to make sure that your yaml manifest is updated to use percona/pmm-server:2.44.1 / percona/pmm-client:2.44.1-1 .

For all other deployments, please make sure you are using the latest version of the percona/pmm-server / percona/pmm-client image.

Optional further mitigation steps

There are no known exploits of this vulnerability. However, for a more security-conscious approach, the following mitigation analysis and efforts can be taken.  

  1. Change all credentials for the services that PMM monitors. This includes database user accounts and any other credentials (e.g., API keys, SSH keys) connected to your infrastructure.
  1. Thoroughly check access logs for any potential unauthorized access attempts or suspicious activity.

We’re here to help 

We are available to assist you 24/7 if you need further clarification or assistance: 

Ensuring the security of your database infrastructure is our top priority. We thank you for your continued trust in Percona.

Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments