Incidents/2022-06-16 MariaDB password leak
document status: in-review
|Incident ID||2022-06-16 MariaDB password leak||Start||13:00|
|People paged||0||Responder count||8|
|Impact||For about 2 hours, a current production database password was publicly known. No user-facing impact, and no data was compromised. While the incident broke an important security boundary, other boundaries (specifically, firewalls) prevented data compromise.|
While troubleshooting database issue on labtestwikitech, I (Andrew) dumped some internal data structures to stdout while debugging in PHP via
The standard practice for ad-hoc debugging is
wfDebugLog(), see also Debugging in production.
As soon as Sam Reed noticed the leakage there was a quick response and the password was rotated. Due to incomplete automation, rotating the password took quite some time (maybe 60-90 minutes with several SREs participating).
Because of firewalls and host-selective database grants, the leaked passwords are only useful from production hosts (10.64.0.0 and 10.192.0.0) so data integrity was not compromised.
- document the repool script for dbctl in wikitech
- reconsider labtestwikitech. Decommission, or standardize to some degree so it isn't managed as an afterthought
- Improve automation:
- upgrade & document password-rotation script
- productionize repool script
- Consider improved pw redaction:
- The data shown by var_dump(), print_r() etc. has theoretically been configurable via the __debugInfo() magic method since PHP 5.4 (RFC). T277618 proposed using this mechanism (originally to reduce the size of the output, rather than to redact sensitive information), but found PHP bug 80894, which is only fixed in PHP 7.4 or later. Once WMF is on PHP 7.4 (T271736), we should consider using __debugInfo() to remove the password from the debug output of database objects. (And $wgDBpassword from globals / config?)
- In PHP 8.2, the \SensitiveParameter attribute can be used to redact function parameters from stack traces (RFC), though that’s less relevant for us since (I think?) we never show stack traces with values anyways (only value types).
|People||Were the people responding to this incident sufficiently different than the previous five incidents?||No|
|Were the people who responded prepared enough to respond effectively||Yes|
|Were fewer than five people paged?||No pages were sent|
|Were pages routed to the correct sub-team(s)?||No pages were sent|
|Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours.||No pages were sent|
|Process||Was the incident status section actively updated during the incident?||No||No need|
|Was the public status page updated?||No||No need|
|Is there a phabricator task for the incident?||Yes|
|Are the documented action items assigned?||No|
|Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence?||Yes|
|Tooling||To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are
open tasks that would prevent this incident or make mitigation easier if implemented.
|Were the people responding able to communicate effectively during the incident with the existing tooling?||Yes|
|Did existing monitoring notify the initial responders?||No||We have no monitoring for this sort of issue|
|Were the engineering tools that were to be used during the incident, available and in service?||Yes|
|Were the steps taken to mitigate guided by an existing runbook?||No|
|Total score (count of all “yes” answers above)|