

CVE-2020-10996 – Percona XtraDB Cluster SST script static key
source link: https://www.percona.com/blog/2020/04/20/cve-2020-10996-percona-xtradb-cluster-sst-script-static-key/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

CVE-2020-10996
Percona XtraDB Cluster versions greater than 5.7.22-29.26 and less than 5.7.28-31.42.1 contained a script that handled SST transfers to nodes, this was inadvertently set to a static value due to an error in the bash script handling this process.
Applicability
Time based access to SST files is required in order to exploit this error, as sst files are ephemeral in nature the window in which an attacker with access to the filesystem can exploit this issue is limited.
In addition to the enablement of innodb at-rest encryption, which is not considered a GA feature at the time of writing.
Credits
Percona would like to thank Pavel Kasko for discovering this issue, and working to aid resolution.
More Information
- CVE-2020-10996
- https://jira.percona.com/browse/PXC-3117
Release notes
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK