Page MenuHomePhabricator
Create Task
Maniphest T326293

CVE-2023-29139: API request timeout - CheckUserLog
Closed, ResolvedPublicSecurity
Actions

Description

Reason this is security flagged: I don't know how vulnerable multiple executions of the same API request in the form of a DoS type attack would affect a wikis server status

Error Message 1:

{"error":{"code":"internal_api_error_Wikimedia\\RequestTimeout\\RequestTimeoutException","info":"[cb78d894-a1fc-4dec-8329-08d4bfe7985a] Caught exception of type Wikimedia\\RequestTimeout\\RequestTimeoutException","errorclass":"Wikimedia\\RequestTimeout\\RequestTimeoutException"},"servedby":"mw1361"}

Error message 2:

upstream request timeout

Affected Authentications: Logged in with checkuserlog permission
Unaffected: Logged in without checkuserlog permission & logged out

Affected Wikis: Group 0 & Group 1 wikis - on MW 1.40.0-wmf.17
Not affected Wikis: Group 2 wikis - on 1.40.0-wmf.14

Reproduction:

  1. Go to a project in which you have checkuserlog abilities
  2. make a request to the API CheckUserLog where you expect a non-zero result (could even just be a generic view all CU logs request)

Ways not to reproduce:

  1. Specifying parameters where the CU log would have zero enteries - this produces as it should, no results
  2. While not logged in OR without the checkuserlog permission - this results in the proper permission denied

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: api: Only add actor table to table list when querying from itmediawiki/extensions/CheckUserREL1_40+10 -1
SECURITY: api: Only add actor table to table list when querying from itmediawiki/extensions/CheckUsermaster+2 -1
Customize query in gerrit

Related Objects

Event Timeline

AmandaNP created this task.Jan 5 2023, 8:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2023, 8:23 AM
AmandaNP added a parent task: T325580: 1.40.0-wmf.17 deployment blockers.Jan 5 2023, 8:24 AM
AmandaNP added a project: Wikimedia-production-error.
Ladsgroup added a subscriber: Zabe.Jan 5 2023, 11:24 AM
taavi triaged this task as Unbreak Now! priority.Jan 5 2023, 11:33 AM
taavi subscribed.

(as a train blocker)

Zabe added a comment.Jan 5 2023, 11:42 AM

0001-api-Only-add-actor-table-to-table-list-when-querying.patch1 KBDownload

Ladsgroup subscribed.Jan 5 2023, 11:52 AM

I was about to suggest:
you can do something much simpler:
instead of:

+			$this->addTables( [ 'actor' ] );
 			$this->addJoinConds( [ 'actor' => [ 'JOIN', 'actor_id=cul_actor' ] ] );

do:

			$this->addJoin( 'actor', null, 'actor_id=cul_actor' );

But it Api class doesn't support it which baffling to me :/ to be fixed later.

Ladsgroup added a comment.Jan 5 2023, 11:53 AM

This is good to go IMO.

It can get deployed and then immediately added to gerrit. It was introduced recently so it shouldn't be in any release branch.

Ladsgroup added a comment.Jan 5 2023, 12:37 PM

It is deployed so it shouldn't block the train anymore. I'll double check with secteam and then push it to gerrit and close this.

Ladsgroup removed a parent task: T325580: 1.40.0-wmf.17 deployment blockers.Jan 5 2023, 12:37 PM
thcipriani moved this task from Untriaged to Jan 2023 on the Wikimedia-production-error board.Jan 5 2023, 5:04 PM
sbassett added projects: SecTeam-Processed, Vuln-DoS.Jan 5 2023, 5:20 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.

Hey @Ladsgroup @taavi @Zabe -

Thanks for the quick response here. It looks like this made it to 1.40.0-wmf.17 but not 1.40.0-wmf.14, which is still where group 2 is for a little while, if I'm not mistaken. If there aren't concerns about this vuln shortly existing there for a bit, then I suppose we don't need to worry about 1.40.0-wmf.14.

SAL entry: https://sal.toolforge.org/log/LTTqgYUBa_6PSCT9o6gu

It can get deployed and then immediately added to gerrit. It was introduced recently so it shouldn't be in any release branch.

This looks to be the bad change set? https://gerrit.wikimedia.org/r/871259. It's fine to backport the security patch ASAP anyways, now that it's patched in production, as CU isn't bundled. We can also track it for the next supplemental release at T325849.

Thanks again.

sbassett changed the task status from Open to In Progress.Jan 5 2023, 5:22 PM
sbassett lowered the priority of this task from Unbreak Now! to Medium.
sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).
Zabe added a comment.Jan 5 2023, 5:34 PM
In T326293#8502232, @sbassett wrote:

Thanks for the quick response here. It looks like this made it to 1.40.0-wmf.17 but not 1.40.0-wmf.14, which is still where group 2 is for a little while, if I'm not mistaken. If there aren't concerns about this vuln shortly existing there for a bit, then I suppose we don't need to worry about 1.40.0-wmf.14.

The causing patch itself only made it into 1.40.0-wmf.17, so 1.40.0-wmf.14 is not affected by the vuln.

sbassett added a comment.Jan 5 2023, 5:35 PM
In T326293#8502276, @Zabe wrote:

The causing patch itself only made it into 1.40.0-wmf.17, so 1.40.0-wmf.14 is not affected by the vuln.

Ah, missed that, thanks!

Zabe added a project: CheckUser.Jan 5 2023, 8:16 PM
Zabe added a subscriber: gerritbot.Jan 9 2023, 10:00 PM
gerritbot added a comment.Jan 9 2023, 10:04 PM

Change 877267 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CheckUser@master] SECURITY: api: Only add actor table to table list when querying from it

https://gerrit.wikimedia.org/r/877267

gerritbot added a project: Patch-For-Review.Jan 9 2023, 10:04 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.Jan 9 2023, 10:17 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Dreamy_Jazz subscribed.Jan 9 2023, 10:19 PM

Apologies for not catching that in my review. Thanks for the quick response everyone.

gerritbot added a comment.Jan 9 2023, 10:21 PM

Change 877267 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: api: Only add actor table to table list when querying from it

https://gerrit.wikimedia.org/r/877267

Zabe closed this task as Resolved.Jan 9 2023, 10:22 PM
Zabe claimed this task.
Maintenance_bot removed a project: Patch-For-Review.Jan 9 2023, 10:32 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jan 9 2023, 10:35 PM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.18; 2023-01-09).Jan 9 2023, 11:00 PM
mmartorana renamed this task from API request timeout - CheckUserLog to CVE-2023-29139: API request timeout - CheckUserLog.Apr 3 2023, 3:19 PM
gerritbot added a comment.Apr 4 2023, 7:51 PM

Change 905732 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: api: Only add actor table to table list when querying from it

https://gerrit.wikimedia.org/r/905732

gerritbot added a project: Patch-For-Review.Apr 4 2023, 7:51 PM
gerritbot added a comment.Apr 4 2023, 8:01 PM

Change 905732 abandoned by SBassett:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: api: Only add actor table to table list when querying from it

Reason:

Already on 1.40

https://gerrit.wikimedia.org/r/905732

Maintenance_bot removed a project: Patch-For-Review.Apr 4 2023, 8:12 PM
Dreamy_Jazz added a comment.EditedApr 4 2023, 8:12 PM

The CVE description is wrong here. This problem was never present in any release of 1.39. The only versions this was an issue in were specific 1.40-wmf.* branches and the master branch as far as I remember. Can this be updated (@sbassett)? Maybe using 1.40-alpha as the version would work here?

Legoktm subscribed.Apr 4 2023, 8:14 PM

If it was never in a stable release the CVE should just be retracted.

Dreamy_Jazz added a comment.Apr 4 2023, 8:16 PM
In T326293#8756627, @Legoktm wrote:

If it was never in a stable release the CVE should just be retracted.

From what I can tell, this was never in a stable release, so as long as I've not missed something I think that should be done.

sbassett added a comment.Apr 4 2023, 8:42 PM
In T326293#8756619, @Dreamy_Jazz wrote:

The CVE description is wrong here. This problem was never present in any release of 1.39. The only versions this was an issue in were specific 1.40-wmf.* branches and the master branch as far as I remember. Can this be updated (@sbassett)? Maybe using 1.40-alpha as the version would work here?

I can send an update or retraction to Mitre. I could go either way, tbh. For the supplemental release, where ext:CheckUser security issues land, the bar is pretty low and we often still request CVEs for things that just land on master, which this did. But yes, the bug was quickly introduced and quickly fixed, so it might be too inconsequential even for that.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits