Jump to content

Incidents/2022-06-16 MariaDB password leak

From Wikitech

document status: in-review

Summary

Incident metadata (see Incident Scorecard)
Incident ID 2022-06-16 MariaDB password leak Start 13:00
Task T310796 End 15:00
People paged 0 Responder count 8
Coordinators moritz Affected metrics/SLOs
Impact For about 2 hours, a current production database password was publicly known. No user-facing impact, and no data was compromised. While the incident broke an important security boundary, other boundaries (specifically, firewalls) prevented data compromise.

While troubleshooting database issue on labtestwikitech, I (Andrew) dumped some internal data structures to stdout while debugging in PHP via print statements. These data structures contained database credentials. It took a bit for me to remember that because of how PHP works, print statements (also) write the response to web clients.

The standard practice for ad-hoc debugging is wfDebugLog(), see also Debugging in production.

As soon as Sam Reed noticed the leakage there was a quick response and the password was rotated. Due to incomplete automation, rotating the password took quite some time (maybe 60-90 minutes with several SREs participating).

Because of firewalls and host-selective database grants, the leaked passwords are only useful from production hosts (10.64.0.0 and 10.192.0.0) so data integrity was not compromised.

Actionables

  • document the repool script for dbctl in wikitech
  • reconsider labtestwikitech. Decommission, or standardize to some degree so it isn't managed as an afterthought
  • Improve automation:
    • upgrade & document password-rotation script
    • productionize repool script
  • Consider improved pw redaction:
    • The data shown by var_dump(), print_r() etc. has theoretically been configurable via the __debugInfo() magic method since PHP 5.4 (RFC). T277618 proposed using this mechanism (originally to reduce the size of the output, rather than to redact sensitive information), but found PHP bug 80894, which is only fixed in PHP 7.4 or later. Once WMF is on PHP 7.4 (T271736), we should consider using __debugInfo() to remove the password from the debug output of database objects. (And $wgDBpassword from globals / config?)
    • In PHP 8.2, the \SensitiveParameter attribute can be used to redact function parameters from stack traces (RFC), though that’s less relevant for us since (I think?) we never show stack traces with values anyways (only value types).

Scorecard

Incident Engagement ScoreCard
Question Answer

(yes/no)

Notes
People Were the people responding to this incident sufficiently different than the previous five incidents? No
Were the people who responded prepared enough to respond effectively Yes
Were fewer than five people paged? No pages were sent
Were pages routed to the correct sub-team(s)? No pages were sent
Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours. No pages were sent
Process Was the incident status section actively updated during the incident? No No need
Was the public status page updated? No No need
Is there a phabricator task for the incident? Yes
Are the documented action items assigned? No
Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence? Yes
Tooling To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are

open tasks that would prevent this incident or make mitigation easier if implemented.

Were the people responding able to communicate effectively during the incident with the existing tooling? Yes
Did existing monitoring notify the initial responders? No We have no monitoring for this sort of issue
Were the engineering tools that were to be used during the incident, available and in service? Yes
Were the steps taken to mitigate guided by an existing runbook? No
Total score (count of all “yes” answers above)