Denial of Service: mysql-server going berserk when contacted by unauthorized client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MySQL Server |
Unknown
|
Unknown
|
|||
mysql-5.7 (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Hi,
on one of our servers we noticed that under certain conditions mysql-server can be caused to go berserk, i.e. run with 400% CPU load, spit out extrem tons of log messages and denial it's work completely when contacted by a client, that is not (!) authorized to connect.
I've boiled this down to a simple scenario in a LXD box to demonstrate the problem:
1. create a fresh LXD container (or any environment of your choice with a fresh 16.04) and enter it:
lxc launch x mysqltest
lxc exec mysqltest -- /bin/bash
2. inside the container do
apt-get update
apt-get upgrade
apt-get install mysql-server
edit /etc/mysql/
/etc/init.d/mysql restart
Verify with netstat or lsof -i that mysql is not bound to loopback but has a general socket open
Add the line
ALL: ALL
to /etc/hosts.deny
Add the line
mysqld: 1.2.3.4
to /etc/hosts.allow
3. contact the mysqld from outside from any host that is not (!) allowed to connect by /etc/hosts.*, e.g. just from your Host running LXD, with a simple
telnet 192.168.200.221 mysql
(use the ip address of your container, of course)
no need to enter anything
4. Inside the container: Watch the damon using all CPU (here: permanently oscillating between 100% and 400% CPU usage)
strace shows endless
[pid 4143] accept(-1, 0x7ffd120dbb20, 0x7ffd120dbabc) = -1 EBADF (Bad file descriptor)
[pid 4143] poll([{fd=28, events=POLLIN}, {fd=29, events=POLLIN}], 2, -1) = 1 ([{fd=28, revents=POLLNVAL}])
loop.
/var/log/
2017-02-
and thus filling the disk.
regards
information type: | Public Security → Public |
tags: | added: needs-upstream-report |
Changed in mysql-5.7 (Ubuntu): | |
importance: | Undecided → High |
Thanks for the bug Hadmut; I'm marking this public so that administrators can more quickly learn that using tcpwrappers for access control has the potential for trouble with mysqld, and can switch to iptables or other firewalling as appropriate.