Page MenuHomePhabricator

/w/api.php?action=languagesearch denial of service (CVE-2021-46149)
Closed, ResolvedPublicSecurity

Description

While browsing Language team dashboard in Logstash, I came across a bunch of timeouts from the language search API:

/w/api.php?action=languagesearch&format=json&origin=*&search=teuoyuepuuoiuuuuouuuiqpitouppotuouqtropuuyuyroopepupyotutqiuiuuuooqquypyouopptoiooupipyoouououuptyppuouuouytpeuouuuoiuoriupuouppuquupoiyrpuooypuupuopootpoieppppyrutpptptpiuqerppyuqrpupwoeuppuopouuoupuuuoouupuopupptuupootouuouuqouoeouuurpoowuquooyuuytppepriiuttupuetopuutuppuoppupoupuopouiuopupppuuteupiuuyuputiyootorqyoueeuuuuyptpuuuuyioiyuteupuypuoropqupuuorpputopouuuuttoiputyootooooyuuyuoqupytuoqpoooootuouuuoiouyppuwouyououuptrotuuupetyiiueuuoyuqyrquiouuqtuuouiyouoiupuoopeqtoueoeuopuuproouuoyupupouuttuuurutopuopotuuyuuyprpyureoieopuppouooooooyutyoouuiyqypyuruutiuouuutywuutuuuuiiuuropyuutuyuiuiuyupurioruypupiioitpppuqruyoooyopuouuiouuueuyiuppuuptppouuuepuyttuquuppuotuyutuoupppriupuquputuetypupooouueupuuporuouupurupueoupyiyurpuyuuooyytuuouyuupuouoqpupyuuoeioqoyuyuoupupupooopuyuoyuupouuppoooppoiipueuuruiouurouyupupouuouupqoyruqiuouoqtwteuoouupuuppuoqyuepopoupuueououurupuprppoptoupyuqepuouqttepioyuuuuurputoopttppyiyioiyuoriuuootuupuuyppuuuyyupoyiuuuuupuuouuquppiuyuyypeppptppipioutoieupytuwuuutoupuopuirtuuuuuoouuutoptpiuuuuiotyuuiutuuuoupopioitpurpopouputpuuoippuuyopitptouuuopiorutoitopputuqyuptiotipopouuooeiuuuouttuoiuuqppoottqioouuouuyipueuuouppruuprupewuiypuporoqupuyiiopoouuoputuoeyuoyyoppououutuwrooetuyoyyuouupiuuuuuuuruyutoiiuquypouopuuioyiuouituoppootyytuqypoupuiuuuuoupyoyuptooeuupuuuquuuuqiuprpuyiuuuuopottuppppiptuqypupypuopuwiuutpytuuyoouupuquouuyuoyuputyqrupuooutouuupuptuiiruqupoutpooupuopuprtuooouupuoooipipupoopruupuyppuequouryuuoptoouoouuowuouyuouuupoyeyrouoouuouuuoupuqupiupioupoptupuououououueueyoyoeuutepuypppouuuupiouuperpupuyuuytuouooqttuoutuppouuoiuutooopoeoootuquuuptrtoueepuyuouyuuitppiottupyeruppyooueuqqurqooituutupyuuuipyoouyuuyuutpryyouquooyuuuuptutuupppptqeutioqtotuyuqipuoyuyyquutwpuuuuqoupyooopouippoyutoupttprptripiurooopiuipootopeupyuuryueuuppuuuuuuoptppiuupiouuoupprpyorytiyopttuippptitortpooyeuooyppuuoiutuuyouuppuruuouuuputpiuuuupouuuuuyppiuiyuuuuyiuiupruupuuouyruoutuouoyuuueipoouuuuuuppppptitituuittuewpouiipppupyoytuiuioyuuuyopuyuruputruyuuuqyypuyoyuuyuopyuorupuoyuruuuppytpppiuuutuotoytuiquwpitytuuooopyoupeuuuyuuuuieyteippouuooutpuyoyuyupuiutpuuppuutytutputurptupuurptoyuuoputuuoquopoupyouutoupuioutuuuuuuopuuypueouiuuopuppyuuyyoetouurppuouuyupuuupuytoqupupuuytypopuitoyuupoouyuypyuuiryoeptououupouuiuopuuuiyopupyuruquppyupuuuuoupoupuuquiouriuuputppuiyuutuuyppiroouuoouoipuuoputuptioprpututouiuueopppuuqpypuupotuuutyoupuuptpuupyyouuwurutpotuytuuotipuuupueouopqppeotuurueippuurptpoyupuuoyeiiuuurouqippwoppurutuuuupututipiuuuouupououpqpipiopuyoupyuuuirpoupyuututrueouryuputqiuyyouttiutoeuuopuuuutqpouoyptuupotueyuuopptqouuuuiutieuoipttpoouuprouotwtuuuiyqeuuuotupiutuyruuyyyyouiruittuouuuyppoyyupeupuupuotuuppppuuoiuuouuooyruuuuuuuprtpttuuppuuupiuutiutooppuoyouopiuttropyuypouyyqoipupoupuuoqutpouuiqrrouuupptpupoppoyuyuuorutrpuyypuyopouuupuuoquuuuuutyopuupuouyeueotyupuuuieuuuyooiyuruoiupyiqpupuptyuypuryppoyuruuoorpooyuuuotpuuuuuiiiuutytupppoyopyuurupuyyupupppwuouipuyuyytwroioiuueyopyutoopupuepipououpttououoquupitrwuppupupuyoyouyputopuioioupptuouyeuouuouoiituutproupoppuupuyupuuupuipoyuoruypipuuuuoiouuiouorooyuououtouuuowuiootuutyuuqupuupyppyouyrquoqyqputouuoitooyriuruupywtouuiutuouuuttipyypouuputuuopetouoeiuuuurrqopuppyuyuuupiuoutopppppuypupututuutouypopyepuoooiupitytpptupyqirtuoruuwpuoooououeoruyouwuuqoupuuritutuuipuppuupitppppppirouypuoiuoqoopuuouuuuuuttuypuuoppputituutootpuupyuptyiotoooutqyupuuuuouitouwpotyuoiuyutptpoeoipuuuyruoouuioutuuippuoupptuupyuypoputyyuptupuyoyuuouypypopowoprpoppuprppuputopppupyypuupooeruyiouyopuyuuptuttuiquptyuupotopiuouuottouotpuuoutopqouuouopupoiypyoqouuyupoyppyopiquuippiuyyoitoiuuutyuuoqypwyppooopuouooiopppopuuyruytupopprroupirqtiotuuquowuuqtituiiqpouuppyuu&formatversion=2
from /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(97)
#0 /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(72): Wikimedia\RequestTimeout\Detail\ExcimerTimerWrapper->onTimeout(integer)
#1 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(187): Wikimedia\RequestTimeout\Detail\ExcimerTimerWrapper->Wikimedia\RequestTimeout\Detail\{closure}(integer)
#2 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(179): LanguageNameSearch::levenshteinDistance(string, string)
#3 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(103): LanguageNameSearch::levenshteinDistance(string, string)
#4 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(70): LanguageNameSearch::matchNames(string, string, integer)
#5 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/includes/api/ApiLanguageSearch.php(29): LanguageNameSearch::search(string, integer, string)
#6 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(1878): ApiLanguageSearch->execute()
#7 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(857): ApiMain->executeAction()
#8 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(828): ApiMain->executeActionWithErrorHandling()
#9 /srv/mediawiki/php-1.38.0-wmf.4/api.php(90): ApiMain->execute()
#10 /srv/mediawiki/php-1.38.0-wmf.4/api.php(45): wfApiMain()
#11 /srv/mediawiki/w/api.php(3): require(string)
#12 {main}

More specifically, there were 1757 such requests on viwiki on 2021-10-17, which was clearly intentional dos attempt.

Event Timeline

Doing some quick stats, longest language name is 154 bytes or 76 "mb_strlen" characters long. But it's questionable whether doing a typo match at that long search query is useful. I propose we skip fuzzy search when mb_strlen value is longer than say 25, or at most 76 if we want to avoid any user impact.

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.

It should also be backported to supported release branches, I think.

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.

Well, we're probably close enough to the train cut that the gerrit patch can just go along with that and roll out this week. The commit message was fairly benign, so the only hint that this is a security issue is the linked private bug and the patch itself. ULS isn't bundled so there's no issue with the upcoming security release there, as this would just be included within the supplemental announcement, which often includes several already-public security issues. Anyhow, the Security-Team will chat about this today during our clinic and see if we have any additional guidance to provide.

It should also be backported to supported release branches, I think.

Yes, it should. The Security-Team can start those picks.

Change 733923 had a related patch set uploaded (by SBassett; author: Santhosh):

[mediawiki/extensions/UniversalLanguageSelector@REL1_37] Language name search: Avoid searching for very long search keys

https://gerrit.wikimedia.org/r/733923

Change 733924 had a related patch set uploaded (by SBassett; author: Santhosh):

[mediawiki/extensions/UniversalLanguageSelector@REL1_36] Language name search: Avoid searching for very long search keys

https://gerrit.wikimedia.org/r/733924

Change 733925 had a related patch set uploaded (by SBassett; author: Santhosh):

[mediawiki/extensions/UniversalLanguageSelector@REL1_35] Language name search: Avoid searching for very long search keys

https://gerrit.wikimedia.org/r/733925

Change 733923 merged by jenkins-bot:

[mediawiki/extensions/UniversalLanguageSelector@REL1_37] Language name search: Avoid searching for very long search keys

https://gerrit.wikimedia.org/r/733923

Change 733924 merged by jenkins-bot:

[mediawiki/extensions/UniversalLanguageSelector@REL1_36] Language name search: Avoid searching for very long search keys

https://gerrit.wikimedia.org/r/733924

Change 733925 merged by jenkins-bot:

[mediawiki/extensions/UniversalLanguageSelector@REL1_35] Language name search: Avoid searching for very long search keys

https://gerrit.wikimedia.org/r/733925

mmartorana renamed this task from /w/api.php?action=languagesearch denial of service to /w/api.php?action=languagesearch denial of service (CVE-2021-46149).Mon, Jan 10, 5:03 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Mon, Jan 10, 6:11 PM
mmartorana changed the edit policy from "Custom Policy" to "All Users".

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.

It should also be backported to supported release branches, I think.

In other words: If people are either using MLEB 2021.10, 2021.11 or preferably 2021.12 they are cool?!

In other words: If people are either using MLEB 2021.10, 2021.11 or preferably 2021.12 they are cool?!

Yes. You can check this yourself by going to https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UniversalLanguageSelector/+/732274/ and then around middle of the screen on the right hand side you can see "included in", which shows the tags and branches where the patch is present (it does not show backports though).

Cool, thanks for confirming. Thanks also for the tip. Never noticed this one.