You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Incidents/2022-06-16 MariaDB password leak
document status: draft
|Incident ID||2022-06-16 MariaDB password leak||Start||13:00|
|People paged||0||Responder count||8|
|Impact||No user-facing impact. This incident broke a very important security boundary but other boundaries (specifically, prod host access) prevented actual data compromise.|
While troubleshooting database issue on labtestwikitech, I (Andrew) dumped some internal data structures to stdout using debug print() lines. These data structures contained database credentials. It took a bit for me to remember that because of how PHP works, 'print' statements also display for all web clients.
As soon as Sam Reed noticed the leakage there was a quick response and the password was rotated. Due to incomplete automation, rotating the password took quite some time (maybe 60-90 minutes with several SREs participating).
Because of firewalls and host-selective database grants, the leaked passwords are only useful from production hosts (10.64.% and 10.192.%) so data integrity was not affected.
- document the repool script for dbctl in wikitech
- reconsider labtestwikitech. Decommission, or standardize to some degree so it isn't managed as an afterthought
- Improve automation:
- upgrade & document password-rotation script
- productionize repool script
- Consider improved pw redaction:
- The data shown by var_dump(), print_r() etc. has theoretically been configurable via the __debugInfo() magic method since PHP 5.4 (RFC). T277618 proposed using this mechanism (originally to reduce the size of the output, rather than to redact sensitive information), but found PHP bug 80894, which is only fixed in PHP 7.4 or later. Once WMF is on PHP 7.4 (T271736), we should consider using __debugInfo() to remove the password from the debug output of database objects. (And $wgDBpassword from globals / config?)
- In PHP 8.2, the \SensitiveParameter attribute can be used to redact function parameters from stack traces (RFC), though that’s less relevant for us since (I think?) we never show stack traces with values anyways (only value types).
|People||Were the people responding to this incident sufficiently different than the previous five incidents?||No|
|Were the people who responded prepared enough to respond effectively||Yes|
|Were fewer than five people paged?||No pages were sent|
|Were pages routed to the correct sub-team(s)?||No pages were sent|
|Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours.||No pages were sent|
|Process||Was the incident status section actively updated during the incident?||No need|
|Was the public status page updated?||No need|
|Is there a phabricator task for the incident?||Yes||https://phabricator.wikimedia.org/T310796|
|Are the documented action items assigned?||No|
|Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence?||Yes|
|Tooling||To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are
open tasks that would prevent this incident or make mitigation easier if implemented.
|Were the people responding able to communicate effectively during the incident with the existing tooling?||Yes|
|Did existing monitoring notify the initial responders?||No||We have no monitoring for this sort of issue|
|Were the engineering tools that were to be used during the incident, available and in service?||Yes|
|Were the steps taken to mitigate guided by an existing runbook?||No|
|Total score (count of all “yes” answers above)|