2014-02-12 20:24:53 |
Maciej Dobrzanski |
bug |
|
|
added bug |
2014-02-12 20:35:19 |
Maciej Dobrzanski |
description |
Percona Toolkit 2.1 introduced --version-check to check for MySQL vulnerabilities and PT updates. When this option is enabled - and it is enabled by default(!) - various information about local MySQL as well as other system binaries and packages are submitted to Percona along with the server's IP address. This not only exposes possibly sensitive information, but also does so without bringing it to user's attention or asking for their consent.
It gets worse. The configuration for what information PT tools should collect is not hardcoded in the scripts. Instead, every time it's downloaded from http://v.percona.com/. One of the possible parameters is a binary file name to be executed, i.e. Percona can remotely execute arbitrary command - again, without making user aware of what or when is being executed. To be fair, the ability to run commands is limited to running "command -v", however that's only under the assumption that the command filters will always work.
In my opinion --version-check should never be enabled by default and if user wants to keep it enabled, the configuration (i.e. the list of checks) should be hardcoded and explicitly listed, and not downloaded from a remote location.
Current workaround: To avoid confidential information being exposed, always use --no-version-check with every PT tool that includes 'version-check' feature (e.g. pt-query-digest, pt-diskstats). |
Percona Toolkit 2.1 introduced --version-check to warn user about known vulnerabilities in the local MySQL instance and to check for PT updates. When this option is enabled - and it is enabled by default(!) - various information about local MySQL as well as other system binaries and packages are submitted to Percona along with the server's IP address. This not only exposes possibly sensitive information, but also does so without bringing it to user's attention or asking for their consent.
It gets worse. The configuration for what information PT tools should collect is not hardcoded in the scripts. Instead, every time it's downloaded from http://v.percona.com/. One of the possible parameters is a binary file name to be executed, i.e. Percona can remotely execute arbitrary command - again, without making user aware of what or when is being executed. To be fair, the ability to run commands is limited to running "command -v", however that's only under the assumption that the command filters will always work.
In my opinion --version-check should never be enabled by default and if user wants to keep it enabled, the configuration (i.e. the list of checks) should be hardcoded and explicitly listed, and not downloaded from a remote location.
Current workaround: To avoid confidential information being exposed, always use --no-version-check with every PT tool that includes 'version-check' feature (e.g. pt-query-digest, pt-diskstats). |
|
2014-02-12 20:37:31 |
Maciej Dobrzanski |
description |
Percona Toolkit 2.1 introduced --version-check to warn user about known vulnerabilities in the local MySQL instance and to check for PT updates. When this option is enabled - and it is enabled by default(!) - various information about local MySQL as well as other system binaries and packages are submitted to Percona along with the server's IP address. This not only exposes possibly sensitive information, but also does so without bringing it to user's attention or asking for their consent.
It gets worse. The configuration for what information PT tools should collect is not hardcoded in the scripts. Instead, every time it's downloaded from http://v.percona.com/. One of the possible parameters is a binary file name to be executed, i.e. Percona can remotely execute arbitrary command - again, without making user aware of what or when is being executed. To be fair, the ability to run commands is limited to running "command -v", however that's only under the assumption that the command filters will always work.
In my opinion --version-check should never be enabled by default and if user wants to keep it enabled, the configuration (i.e. the list of checks) should be hardcoded and explicitly listed, and not downloaded from a remote location.
Current workaround: To avoid confidential information being exposed, always use --no-version-check with every PT tool that includes 'version-check' feature (e.g. pt-query-digest, pt-diskstats). |
Percona Toolkit 2.1 introduced --version-check to warn user about known vulnerabilities in the local MySQL instance and to check for PT updates. When this option is enabled - and it is enabled by default(!) - various information about local MySQL as well as other system binaries and packages are submitted to Percona along with the server's IP address. This not only exposes possibly sensitive information, but also does so without bringing it to user's attention or asking for their consent.
It gets worse. The configuration for what information PT tools should collect is not hardcoded in the scripts. Instead, every time it's downloaded from http://v.percona.com/. One of the possible parameters is a binary file name to be executed, i.e. Percona can remotely execute arbitrary command - again, without making user aware of what or when is being executed. To be fair, the ability to run commands is limited to running "command -v", however that's only under the assumption that the command filters will always work. The configuration can also ask for any MySQL variable - not just the version string.
In my opinion --version-check should never be enabled by default and if user wants to keep it enabled, the configuration (i.e. the list of checks) should be hardcoded and explicitly listed, and not downloaded from a remote location.
Current workaround: To avoid confidential information being exposed, always use --no-version-check with every PT tool that includes 'version-check' feature (e.g. pt-query-digest, pt-diskstats). |
|
2014-02-18 09:53:29 |
Alexey Kopytov |
bug task added |
|
percona-xtrabackup |
|
2014-02-18 09:53:35 |
Alexey Kopytov |
percona-xtrabackup: status |
New |
Opinion |
|
2014-02-18 10:12:47 |
Alexey Kopytov |
summary |
Percona Toolkit behaves like spyware |
VersionCheck behaves like spyware |
|
2014-02-18 12:43:21 |
Sergei Golubchik |
bug |
|
|
added subscriber Sergei |
2014-02-20 02:26:17 |
Daniel Nichter |
percona-toolkit: assignee |
|
Daniel Nichter (daniel-nichter) |
|
2014-02-20 02:26:33 |
Daniel Nichter |
nominated for series |
|
percona-toolkit/2.1 |
|
2014-02-20 02:26:33 |
Daniel Nichter |
bug task added |
|
percona-toolkit/2.1 |
|
2014-02-20 02:26:33 |
Daniel Nichter |
nominated for series |
|
percona-toolkit/2.0 |
|
2014-02-20 02:26:33 |
Daniel Nichter |
bug task added |
|
percona-toolkit/2.0 |
|
2014-02-20 02:26:33 |
Daniel Nichter |
nominated for series |
|
percona-toolkit/2.2 |
|
2014-02-20 02:26:33 |
Daniel Nichter |
bug task added |
|
percona-toolkit/2.2 |
|
2014-02-20 02:26:48 |
Daniel Nichter |
percona-toolkit/2.0: status |
New |
Invalid |
|
2014-02-20 02:28:07 |
Daniel Nichter |
percona-toolkit/2.1: status |
New |
Invalid |
|
2014-02-20 02:28:12 |
Daniel Nichter |
percona-toolkit/2.0: assignee |
|
Daniel Nichter (daniel-nichter) |
|
2014-02-20 02:28:15 |
Daniel Nichter |
percona-toolkit/2.1: assignee |
|
Daniel Nichter (daniel-nichter) |
|
2014-02-20 02:28:38 |
Daniel Nichter |
percona-toolkit/2.2: status |
New |
Opinion |
|
2014-02-20 02:28:44 |
Daniel Nichter |
percona-toolkit/2.2: milestone |
|
2.2.7 |
|
2014-02-20 02:29:04 |
Daniel Nichter |
tags |
|
all-tools version-check |
|
2014-02-20 03:44:59 |
Daniel Nichter |
summary |
VersionCheck behaves like spyware |
--version-check behaves like spyware |
|
2014-02-20 03:45:17 |
Matt Griffin |
bug |
|
|
added subscriber Matt Griffin |
2014-02-20 03:50:56 |
Daniel Nichter |
percona-toolkit/2.2: importance |
Undecided |
High |
|
2014-02-20 03:51:09 |
Daniel Nichter |
percona-toolkit/2.2: status |
Opinion |
Fix Committed |
|
2014-02-20 15:58:31 |
Hrvoje Matijakovic |
percona-toolkit/2.2: status |
Fix Committed |
Fix Released |
|
2014-02-22 02:58:09 |
Seth Arnold |
cve linked |
|
2014-2029 |
|
2014-03-03 21:49:43 |
Daniel Nichter |
percona-toolkit/2.1: status |
Invalid |
In Progress |
|
2014-03-03 21:49:46 |
Daniel Nichter |
percona-toolkit/2.1: milestone |
|
2.1.11 |
|
2014-03-03 21:49:49 |
Daniel Nichter |
percona-toolkit/2.1: importance |
Undecided |
High |
|
2014-03-03 22:03:32 |
Daniel Nichter |
percona-toolkit/2.1: status |
In Progress |
Fix Committed |
|
2014-03-04 12:36:26 |
Hrvoje Matijakovic |
percona-toolkit/2.1: status |
Fix Committed |
Fix Released |
|