MySQL X protocol port 33060 listening on network by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-8.0 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
MySQL Server 8.0 (on Eoan) binds to / listens on *:33060/tcp (MySQL X protocol) by default. For the classic shell it binds to localhost:3306/tcp only, as users will have gotten used to expect.
This seems like a potentially dangerous change of defaults - users may not expect the service to start listening on an additional port (33060), and may not expect the MySQL X protocol server to bind to *.
By default, no authentication should be possible from the network on the MySQL X protocol (I tested using the debian-sys-maint user and its password, as well as the root user, without a password). Some users may, however, assume that network access is not possible and choose to set simple mysql user passwords (for access from any host). Doing so would certainly involve negligent operation on the users' part, but this does not make it unlikely to happen. Ubuntu should (continue to) come with secure defaults, where services which are more likely to be used locally only (at least initially) should not listen on the network (anywhere but on localhost anyways) by default.
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: mysql-server 8.0.18-
ProcVersionSign
Uname: Linux 5.3.0-24-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
Date: Thu Dec 26 06:13:34 2019
InstallationDate: Installed on 2019-10-17 (69 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191016.5)
Logs.var.
MySQLConf.
MySQLConf.
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
MySQLVarLibDirL
PackageArchitec
SourcePackage: mysql-8.0
UpgradeStatus: No upgrade log present (probably fresh install)
information type: | Public → Public Security |
tags: | added: server-next |
tags: | added: server-triage-discuss |
tags: | removed: server-next server-triage-discuss |
Changed in mysql-8.0 (Ubuntu Focal): | |
status: | Incomplete → In Progress |
Status changed to 'Confirmed' because the bug affects multiple users.