Ubuntu
mysql-8.0 package

MySQL X protocol port 33060 listening on network by default

Bug #1857584 reported by Tom Reynolds
282
This bug affects 7 people
Affects Status Importance Assigned to Milestone
mysql-8.0 (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Marc Deslauriers
Groovy
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned

Bug Description

MySQL Server 8.0 (on Eoan) binds to / listens on *:33060/tcp (MySQL X protocol) by default. For the classic shell it binds to localhost:3306/tcp only, as users will have gotten used to expect.

This seems like a potentially dangerous change of defaults - users may not expect the service to start listening on an additional port (33060), and may not expect the MySQL X protocol server to bind to *.

By default, no authentication should be possible from the network on the MySQL X protocol (I tested using the debian-sys-maint user and its password, as well as the root user, without a password). Some users may, however, assume that network access is not possible and choose to set simple mysql user passwords (for access from any host). Doing so would certainly involve negligent operation on the users' part, but this does not make it unlikely to happen. Ubuntu should (continue to) come with secure defaults, where services which are more likely to be used locally only (at least initially) should not listen on the network (anywhere but on localhost anyways) by default.

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: mysql-server 8.0.18-0ubuntu0.19.10.1
ProcVersionSignature: Ubuntu 5.3.0-24.26-generic 5.3.10
Uname: Linux 5.3.0-24-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
Date: Thu Dec 26 06:13:34 2019
InstallationDate: Installed on 2019-10-17 (69 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191016.5)
Logs.var.log.daemon.log:

MySQLConf.etc.mysql.conf.d.mysql.cnf: [mysql]
MySQLConf.etc.mysql.conf.d.mysqldump.cnf:
 [mysqldump]
 quick
 quote-names
 max_allowed_packet = 16M
MySQLVarLibDirListing: ['binlog.000001', 'private_key.pem', 'ibdata1', '#innodb_temp', 'mysql.ibd', 'ibtmp1', 'client-key.pem', 'undo_002', 'binlog.000002', 'ca.pem', 'ib_logfile1', 'mysql', 'debian-5.7.flag', 'client-cert.pem', 'binlog.index', 'server-cert.pem', 'x.pid', 'undo_001', 'ib_buffer_pool', 'performance_schema', 'auto.cnf', 'public_key.pem', 'ca-key.pem', 'ib_logfile0', 'sys', 'binlog.000003', 'server-key.pem']
PackageArchitecture: all
SourcePackage: mysql-8.0
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Tom Reynolds (tomreyn) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mysql-8.0 (Ubuntu):
status: New → Confirmed
Revision history for this message
Shivaram Lingamneni (slingamn) wrote :

A workaround is to add the following to one of the mysql config files, e.g., /etc/mysql/mysql.cnf:

[mysqld]
mysqlx_bind_address = 127.0.0.1

Alex Murray (alexmurray)
information type: Public → Public Security
Revision history for this message
Lars Tangvald (lars-tangvald) wrote :

bind-address and mysqlx-bind-address both default to *, but the config file (/etc/mysql/mysql.conf.d/mysqld.cnf) sets bind-address to 127.0.0.1, so I think we just need to do the same for mysqlx-bind-address, as mentioned above.

Revision history for this message
Tamas Papp (tomposmiko) wrote :

This is a security issue, why don't you address it properly?
In addition, the fix is just simple.

Bryce Harrington (bryce)
tags: added: server-next
Revision history for this message
Robie Basak (racb) wrote :

It is addressed properly. This was fixed in https://salsa.debian.org/mariadb-team/mysql/-/commit/94e3a663b235d7720f7e98d9f34af27aace166ef

What Ubuntu releases (if any yet) include this change needs checking. If this needs fixing in a stable Ubuntu release, then this needs separate justification and consideration for regressing users. Closing a port that a user might be using in an update to a stable release will certainly regress users using that port.

Revision history for this message
Robie Basak (racb) wrote :

Note that if you care, the workaround is to close the port in a configuration file is trivial. What remains is the trade-off in regressing users in stable releases versus a more sensible default.

Revision history for this message
Bryce Harrington (bryce) wrote :

mysql-8.0 is available only in focal, groovy, and hirsute.

Checking each release's mysqld.cnf for the fix:

  * focal: Missing
  * groovy: Has it
  * hirsute: Has it

Changed in mysql-8.0 (Ubuntu Groovy):
status: New → Fix Released
Changed in mysql-8.0 (Ubuntu Hirsute):
status: Confirmed → Fix Released
Revision history for this message
Bryce Harrington (bryce) wrote :

To reiterate Robie's point, for 20.04 this would be a behavioral change, and while it is almost surely appropriate to do, in order to get it accepted by the SRU process there needs to be a strong justification of what the trouble is if it is left as-is.

From the description it sounds like the risk only presents itself if a user inadvertently mis-configures their system. I don't know if that actually happens in practice, or if not how likely it might be, but given that there's myriad ways for a naive user to make their system insecure I'm not sure this is a compelling enough use case.

Can someone present a plausible, clearly-problematic use case that could help justify an update to change this default in 20.04?

Changed in mysql-8.0 (Ubuntu Focal):
status: New → Incomplete
Revision history for this message
Tom Reynolds (tomreyn) wrote :

I'll sum up my view on this (which I had hoped, would be yours, too):

So far, in Ubuntu, mysqld always listened on port 3306 only, and only on the loopback interface by default. 20.04 introduced a mysql server version which introduces the MySQL X protocol. The expectation a mysql server administrator will have grown since, as well as anyone who expects Ubuntu to be 'secure by default' (https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports), will be that a new Ubuntu release will not unexpectedly (and without notice) introduce new listening ports, especially not on the Internet, especially not for a service as sensitive as a database. However, this is what 20.04 does: the MySQL X service, is, by default, listening on all interfaces, on TCP port 33060.

As Bryce has clarified (thanks!), port 33060 *is* closed in later releases, which actually weakens the point that there are legitimate reasons to keep it open on 20.04 LTS. The potential regression which would be introduced by fixing this problem now (that 20.04 LTS has been released for a while), i.e. users who might since have come to expect that port 33060/tcp is listening on all interfaces, can be overcome having the preinstall/postinst script, or rather debconf, prompt about the desired configuration.

For what's it worth, Shodan.io lists several Ubuntu 20.04 systems which have the MySQL X protocol on 33060/tcp listening from the Internet.

The "MySQL X" network protocol provides effectively the same capabilities as the classic mysql network protocol (3306/tcp), and features a weak authentication method over a transport encrypted channel. Client implementations are provided, brute force attacks against the authentication are possible.

https://dev.mysql.com/doc/dev/mysql-server/latest/mysqlx_protocol.html#xprotocol_mysqlxshell_example
https://dev.mysql.com/doc/dev/mysql-server/latest/mysqlx_protocol_authentication.html

I would hope that the technical reasoning is sufficient to clarify the need for a SRU, but this should clarify how this can also pose a brand awareness / commercial risk.

Paride Legovini (paride)
tags: added: server-triage-discuss
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I don't think having the port open by default is acceptable. It was clearly an oversight when the new MySQL version was prepared, and I suspect a lot of users are now running an open port without knowing about it.

While publishing out an update that closes the port may break certain configurations, I don't think it is appropriate to leave it open by default.

As such, I will be preparing a security update for focal that closes the open port, along with an appropriate USN that notifies users about the change in behaviour.

Changed in mysql-8.0 (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Paride Legovini (paride)
tags: removed: server-next server-triage-discuss
Marc Deslauriers (mdeslaur)
Changed in mysql-8.0 (Ubuntu Focal):
status: Incomplete → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-8.0 - 8.0.22-0ubuntu0.20.04.3

---------------
mysql-8.0 (8.0.22-0ubuntu0.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: restrict open mysqlx port (LP: #1857584)
    - debian/additions/mysql.conf.d/mysqld.cnf: bind mysqlx port to
      127.0.0.1.
  * WARNING: This change may impact certain environments where the mysqlx
    port needs to be accessed from other hosts. A configuration change may
    be required.

 -- Marc Deslauriers <email address hidden> Thu, 26 Nov 2020 07:03:42 -0500

Changed in mysql-8.0 (Ubuntu Focal):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.